ID CVE-2015-7918 Type cve Reporter NVD Modified 2015-12-16T08:21:54
Description
Multiple buffer overflows in the F1BookView ActiveX control in F1 Bookview in Schneider Electric ProClima before 6.2 allow remote attackers to execute arbitrary code via the (1) Attach, (2) DefinedName, (3) DefinedNameLocal, (4) ODBCPrepareEx, (5) ObjCreatePolygon, (6) SetTabbedTextEx, or (7) SetValidationRule method, a different vulnerability than CVE-2015-8561.
{"reporter": "NVD", "enchantments": {"score": {"vector": "NONE", "value": 7.5}, "vulnersScore": 7.5}, "published": "2015-12-15T00:59:08", "cvelist": ["CVE-2015-7918"], "title": "CVE-2015-7918", "objectVersion": "1.2", "type": "cve", "hash": "2938af3f4229e0a3dabd7d0012776fe4a3c8ee7b0505753c37199fc99ff74bd3", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7918", "bulletinFamily": "NVD", "id": "CVE-2015-7918", "history": [], "scanner": [], "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "modified": "2015-12-16T08:21:54", "viewCount": 0, "cpe": ["cpe:/a:schneider-electric:proclima:6.1"], "edition": 1, "description": "Multiple buffer overflows in the F1BookView ActiveX control in F1 Bookview in Schneider Electric ProClima before 6.2 allow remote attackers to execute arbitrary code via the (1) Attach, (2) DefinedName, (3) DefinedNameLocal, (4) ODBCPrepareEx, (5) ObjCreatePolygon, (6) SetTabbedTextEx, or (7) SetValidationRule method, a different vulnerability than CVE-2015-8561.", "references": ["http://www.zerodayinitiative.com/advisories/ZDI-15-634", "http://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2015-329-01", "http://www.zerodayinitiative.com/advisories/ZDI-15-630", "http://www.zerodayinitiative.com/advisories/ZDI-15-633", "http://www.zerodayinitiative.com/advisories/ZDI-15-635", "http://www.zerodayinitiative.com/advisories/ZDI-15-632", "https://ics-cert.us-cert.gov/advisories/ICSA-15-335-02", "http://www.zerodayinitiative.com/advisories/ZDI-15-625", "http://www.zerodayinitiative.com/advisories/ZDI-15-631"], "lastseen": "2016-09-03T23:20:28", "assessment": {"system": "", "name": "", "href": ""}}
{"zdi": [{"lastseen": "2016-11-09T00:17:47", "references": ["https://ics-cert.us-cert.gov/advisories/ICSA-15-335-02"], "edition": 2, "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Schneider Electric ProClima. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the implementation of the SetTabbedTextEx method of the F1BookView control. Memory corruption occurs when a long string is passed by the user to the method. An attacker could leverage this flaw to execute code under the context of the process.", "reporter": "Fritz Sands - HP Zero Day Initiative", "published": "2015-12-08T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 9.3}}, "title": "Schneider Electric ProClima F1BookView ActiveX Control SetTabbedTextEx Method Remote Code Execution Vulnerability", "type": "zdi", "bulletinFamily": "info", "cvelist": ["CVE-2015-7918"], "modified": "2015-11-09T00:00:00", "href": "http://www.zerodayinitiative.com/advisories/ZDI-15-635", "id": "ZDI-15-635", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2016-11-09T00:18:13", "references": ["https://ics-cert.us-cert.gov/advisories/ICSA-15-335-02"], "edition": 2, "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Schneider Electric ProClima. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the implementation of the SetValidationRule method of the F1BookView control. A buffer overrun occurs when a long string is passed by the user to the method. An attacker could leverage this flaw to execute code under the context of the process.", "reporter": "Fritz Sands - HP Zero Day Initiative", "published": "2015-12-08T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 9.3}}, "title": "Schneider Electric ProClima F1BookView ActiveX Control SetValidationRule Method Remote Code Execution Vulnerability", "type": "zdi", "bulletinFamily": "info", "cvelist": ["CVE-2015-7918"], "modified": "2015-11-09T00:00:00", "href": "http://www.zerodayinitiative.com/advisories/ZDI-15-634", "id": "ZDI-15-634", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2016-11-09T00:17:47", "references": ["https://ics-cert.us-cert.gov/advisories/ICSA-15-335-02"], "edition": 2, "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Schneider Electric ProClima. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the implementation of the ODBCPrepareEx method of the F1BookView control. A buffer overrun occurs when a long string is passed by the user to the method. An attacker could leverage this flaw to execute code under the context of the process.", "reporter": "Fritz Sands - HP Zero Day Initiative", "published": "2015-12-08T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 9.3}}, "title": "Schneider Electric ProClima F1BookView ActiveX Control ODBCPrepareEx Method Remote Code Execution Vulnerability", "type": "zdi", "bulletinFamily": "info", "cvelist": ["CVE-2015-7918"], "modified": "2015-11-09T00:00:00", "href": "http://www.zerodayinitiative.com/advisories/ZDI-15-625", "id": "ZDI-15-625", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2016-11-09T00:18:13", "references": ["https://ics-cert.us-cert.gov/advisories/ICSA-15-335-02"], "edition": 2, "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Schneider Electric ProClima. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the implementation of the DefinedNameLocal method of the F1BookView control. Memory corruption occurs when a long user-supplied name is supplied. Later in processing, the code jumps to an address outside of normal flow. An attacker could leverage this flaw to execute code under the context of the process.", "reporter": "Fritz Sands - HP Zero Day Initiative", "published": "2015-12-08T00:00:00", "title": "Schneider Electric ProClima F1BookView ActiveX Control DefinedNameLocal Method Remote Code Execution Vulnerability", "enchantments": {"score": {"vector": "NONE", "value": 9.3}}, "type": "zdi", "bulletinFamily": "info", "cvelist": ["CVE-2015-7918"], "modified": "2015-11-09T00:00:00", "href": "http://www.zerodayinitiative.com/advisories/ZDI-15-631", "id": "ZDI-15-631", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2016-11-09T00:17:53", "references": ["https://ics-cert.us-cert.gov/advisories/ICSA-15-335-02"], "edition": 2, "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Schneider Electric ProClima. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the implementation of the Attach method of the F1BookView control. A buffer overrun occurs when a long string is passed by the user to the method. An attacker could leverage this flaw to execute code under the context of the process.", "reporter": "Fritz Sands - HP Zero Day Initiative", "published": "2015-12-08T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 9.3}}, "title": "Schneider Electric ProClima F1BookView ActiveX Control Attach Method Remote Code Execution Vulnerability", "type": "zdi", "bulletinFamily": "info", "cvelist": ["CVE-2015-7918"], "modified": "2015-11-09T00:00:00", "href": "http://www.zerodayinitiative.com/advisories/ZDI-15-633", "id": "ZDI-15-633", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2016-11-09T00:18:13", "references": ["https://ics-cert.us-cert.gov/advisories/ICSA-15-335-02"], "edition": 2, "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Schneider Electric ProClima. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the implementation of the ObjCreatePolygon method of the F1BookView control. Memory corruption occurs when a long string is passed by the user as either of the array parameters to the method. An attacker could leverage this flaw to execute code under the context of the process.", "reporter": "Fritz Sands - HP Zero Day Initiative", "published": "2015-12-08T00:00:00", "title": "Schneider Electric ProClima F1BookView ActiveX Control ObjCreatePolygon Method Remote Code Execution Vulnerability", "enchantments": {"score": {"vector": "NONE", "value": 9.3}}, "type": "zdi", "bulletinFamily": "info", "cvelist": ["CVE-2015-7918"], "modified": "2015-11-09T00:00:00", "href": "http://www.zerodayinitiative.com/advisories/ZDI-15-632", "id": "ZDI-15-632", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2016-11-09T00:18:09", "references": ["https://ics-cert.us-cert.gov/advisories/ICSA-15-335-02"], "edition": 2, "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Schneider Electric ProClima. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the implementation of the DefinedName method. Memory corruption occurs when a long user-supplied name is supplied. Later in processing, the code jumps to an address outside of normal flow. An attacker may be able to leverage this flaw to execute code under the context of the process.", "reporter": "Fritz Sands - HP Zero Day Initiative", "published": "2015-12-08T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 9.3}}, "title": "Schneider Electric ProClima F1BookView ActiveX Control DefinedName Method Remote Code Execution Vulnerability", "type": "zdi", "bulletinFamily": "info", "cvelist": ["CVE-2015-7918"], "modified": "2015-11-09T00:00:00", "href": "http://www.zerodayinitiative.com/advisories/ZDI-15-630", "id": "ZDI-15-630", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "ics": [{"lastseen": "2018-08-31T01:37:38", "references": ["http://ics-cert.us-cert.gov/content/recommended-practices", "https://www.us-cert.gov/forms/feedback?helpful=yes&document=ICSA-15-335-02 Schneider Electric ProClima ActiveX Control Vulnerabilities&trackingNumber=&url=https://ics-cert.us-cert.gov/advisories/ICSA-15-335-02&site_name=ICS-CERT", "http://www.schneider-electric.com/ww/en/download/document/SEVD-2015-329-01", "https://www.us-cert.gov/forms/feedback?helpful=no&document=ICSA-15-335-02 Schneider Electric ProClima ActiveX Control Vulnerabilities&trackingNumber=&url=https://ics-cert.us-cert.gov/advisories/ICSA-15-335-02&site_name=ICS-CERT", "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7918", "https://www.us-cert.gov/forms/feedback?helpful=somewhat&document=ICSA-15-335-02 Schneider Electric ProClima ActiveX Control Vulnerabilities&trackingNumber=&url=https://ics-cert.us-cert.gov/advisories/ICSA-15-335-02&site_name=ICS-CERT", "https://www.facebook.com/sharer.php?u=https%3A%2F%2Fics-cert.us-cert.gov%2Fadvisories%2FICSA-15-335-02", "http://www.us-cert.gov/pdf/", "http://www.us-cert.gov/accessibility/", "http://www.schneider-electric.com/en/product-range-download/2560-proclima", "https://ics-cert.us-cert.gov/Report-Incident?", "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "http://www.us-cert.gov/tlp/", "http://www.us-cert.gov/tlp/", "http://ics-cert.us-cert.gov", "http://ics-cert.us-cert.gov", "http://ics-cert.us-cert.gov/tips/ICS-TIP-12-146-01B", "http://twitter.com/icscert", "http://twitter.com/icscert", "http://ics-cert.us-cert.gov/", "https://twitter.com/share?url=https%3A%2F%2Fics-cert.us-cert.gov%2Fadvisories%2FICSA-15-335-02", "http://cwe.mitre.org/data/definitions/94.html", "http://www.us-cert.gov/privacy/", "http://www.addthis.com/bookmark.php?url=https%3A%2F%2Fics-cert.us-cert.gov%2Fadvisories%2FICSA-15-335-02", "http://www.dhs.gov", "http://ics-cert.us-cert.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf", "http://www.dhs.gov/report-cyber-risks"], "description": "## OVERVIEW\n\nAriele Caltabiano, working with HP\u2019s Zero Day Initiative, has identified 11 remote code execution vulnerabilities in Schneider Electric\u2019s ProClima F1 Bookview ActiveX control application. Schneider Electric has produced an update to mitigate these vulnerabilities.\n\nThese vulnerabilities could be exploited remotely.\n\n## AFFECTED PRODUCTS\n\nSchneider Electric reports that the vulnerabilities affect the following versions of ProClima:\n\n * Version 6.1 and prior.\n\n## IMPACT\n\nThese vulnerabilities can be used to modify arbitrary memory and lead to remote code execution.\n\nImpact to individual organizations depends on many factors that are unique to each organization. NCCIC/ICS-CERT recommends that organizations evaluate the impact of these vulnerabilities based on their operational environment, architecture, and product implementation.\n\n## BACKGROUND\n\nSchneider Electric\u2019s corporate headquarters is located in Paris, France, and maintains offices in more than 100 countries worldwide.\n\nThe affected product, ProClima, is a configuration utility used to design control panel enclosures to accommodate the thermal load from the electrical/electronic devices inside and from the environment. According to Schneider Electric, ProClima is used across several sectors including Critical Manufacturing, Commercial Facilities, and Energy. Schneider Electric estimates that this product is used primarily in the United States and Europe with a small percentage in Asia.\n\n## VULNERABILITY CHARACTERIZATION\n\n### VULNERABILITY OVERVIEW\n\n### REMOTE CODE EXECUTIONa\n\nProClima has 11 vulnerabilities that allow code injection. This could allow the attacker to cause a crash or to execute arbitrary code.\n\nCVE-2015-7918b has been assigned to this vulnerability. A CVSS v3 base score of 6.3 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L).c\n\n### VULNERABILITY DETAILS\n\n#### EXPLOITABILITY\n\nThese vulnerabilities could be exploited remotely.\n\n#### EXISTENCE OF EXPLOIT\n\nNo known public exploits specifically target these vulnerabilities.\n\n#### DIFFICULTY\n\nAn attacker with a low skill would be able to exploit these vulnerabilities.\n\n## MITIGATION\n\nSchneider Electric has developed an update for ProClima software. The update is available at the following URL:\n\n<http://www.schneider-electric.com/en/product-range-download/2560-proclima>.\n\nFor more information on this vulnerability and the associated patch, please see Schneider Electric\u2019s SEVD-2015-329-01, released November 25, 2015:\n\n<http://www.schneider-electric.com/ww/en/download/document/SEVD-2015-329-01>\n\nICS-CERT recommends that users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should:\n\n * Minimize network exposure for all control system devices and/or systems and ensure that they are not accessible from the Internet.\n * Locate control system networks and remote devices behind firewalls and isolate them from the business network.\n * When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.\n\nICS-CERT reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.\n\nICS-CERT also provides a section for control systems security recommended practices on the ICS-CERT web page at: <http://ics-cert.us-cert.gov/content/recommended-practices>. Several recommended practices are available for reading and download, including [Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.](<http://ics-cert.us-cert.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf>)\n\nAdditional mitigation guidance and recommended practices are publicly available in the ICS\u2011CERT Technical Information Paper, [ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies](<http://ics-cert.us-cert.gov/tips/ICS-TIP-12-146-01B>), that is available for download from the ICS-CERT web site (<http://ics-cert.us-cert.gov/>).\n\nOrganizations observing any suspected malicious activity should follow their established internal procedures and report their findings to ICS-CERT for tracking and correlation against other incidents.\n\n * a. CWE-94: Improper Control of Generation of Code (\u201cCode Injection\u201d), <http://cwe.mitre.org/data/definitions/94.html>, web site last accessed December 01, 2015.\n * b. NVD, <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7918>, NIST uses this advisory to create the CVE web site report. This web site will be active sometime after publication of this advisory.\n * c. CVSS Calculator, [https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S...](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L>) , web site last accessed December 01, 2015.\n", "edition": 6, "reporter": "Industrial Control Systems Cyber Emergency Response Team", "published": "2015-12-01T00:00:00", "title": "Schneider Electric ProClima ActiveX Control Vulnerabilities", "type": "ics", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "bulletinFamily": "info", "cvelist": ["CVE-2015-7918"], "modified": "2018-08-27T00:00:00", "id": "ICSA-15-335-02", "href": "https://ics-cert.us-cert.gov//advisories/ICSA-15-335-02", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}]}
