SB2019011805 - Multiple vulnerabilities in Omron CX-Supervisor

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2019011805

SB2019011805 - Multiple vulnerabilities in Omron CX-Supervisor

Published: January 18, 2019

Security Bulletin ID SB2019011805
Severity
High
Patch available
YES
Number of vulnerabilities 5
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 60% Low 40%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 5 secuirty vulnerabilities.


1) Code injection (CVE-ID: CVE-2018-19011)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to code injection. A remote unauthenticated attacker can trick the victim into processing a specially crafted processing project files and execute arbitrary code that has been injected into a file under the privileges of the application.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.


2) Command injection (CVE-ID: CVE-2018-19013)

The vulnerability allows a remote attacker to execute arbitrary commands on the target system.

The vulnerability exists due to command injection. A remote unauthenticated attacker can trick the victim into processing a specially crafted processing project files that allows to inject and execute commands to delete files and/or delete the contents of a file on the device.


3) Command injection (CVE-ID: CVE-2018-19015)

The vulnerability allows a remote attacker to execute arbitrary commands on the target system.

The vulnerability exists due to command injection. A remote unauthenticated attacker can trick the victim into processing a specially crafted processing project files that allows to inject and execute commands to launch programs and create, write, and read files on the device.


4) Use-after-free error (CVE-ID: CVE-2018-19017)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to use-after-free error when malicious input. A remote unauthenticated attacker can trick the victim into processing a specially crafted processing project files, trigger memory corruption and execute arbitrary code under the privileges of the application.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.


5) Type confusion (CVE-ID: CVE-2018-19019)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to type confusion when malicious input. A remote unauthenticated attacker can trick the victim into processing a specially crafted processing project files, trigger memory corruption and execute arbitrary code under the privileges of the application.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.


Remediation

Install update from vendor's website.

References