cvelistv5 - cve-2019-6556

cve-2019-6556

Vulnerability from cvelistv5

Published

2019-04-10 19:48

Modified

2024-08-04 20:23

Severity ?

Summary

References

URL	Tags
ics-cert@hq.dhs.gov	https://ics-cert.us-cert.gov/advisories/ICSA-19-094-01	Mitigation, Third Party Advisory, US Government Resource
ics-cert@hq.dhs.gov	https://www.zerodayinitiative.com/advisories/ZDI-19-344/
af854a3a-2127-422b-91ae-364da2661108	https://ics-cert.us-cert.gov/advisories/ICSA-19-094-01	Mitigation, Third Party Advisory, US Government Resource
af854a3a-2127-422b-91ae-364da2661108	https://www.zerodayinitiative.com/advisories/ZDI-19-344/

Impacted products

	Vendor	Product	Version
	Omron	CX-Programmer within CX-One	Version: CX-Programmer v9.70 and prior and Common Components January 2019 and prior

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T20:23:22.210Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://ics-cert.us-cert.gov/advisories/ICSA-19-094-01"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.zerodayinitiative.com/advisories/ZDI-19-344/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "CX-Programmer within CX-One",
          "vendor": "Omron",
          "versions": [
            {
              "status": "affected",
              "version": "CX-Programmer v9.70 and prior and Common Components January 2019 and prior"
            }
          ]
        }
      ],
      "datePublic": "2019-04-04T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "When processing project files, the application (Omron CX-Programmer v9.70 and prior and Common Components January 2019 and prior) fails to check if it is referencing freed memory. An attacker could use a specially crafted project file to exploit and execute code under the privileges of the application."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-416",
              "description": "USE AFTER FREE CWE-416",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2019-04-15T09:06:04",
        "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "shortName": "icscert"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://ics-cert.us-cert.gov/advisories/ICSA-19-094-01"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.zerodayinitiative.com/advisories/ZDI-19-344/"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "ics-cert@hq.dhs.gov",
          "ID": "CVE-2019-6556",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "CX-Programmer within CX-One",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "CX-Programmer v9.70 and prior and Common Components January 2019 and prior"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Omron"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "When processing project files, the application (Omron CX-Programmer v9.70 and prior and Common Components January 2019 and prior) fails to check if it is referencing freed memory. An attacker could use a specially crafted project file to exploit and execute code under the privileges of the application."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "USE AFTER FREE CWE-416"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://ics-cert.us-cert.gov/advisories/ICSA-19-094-01",
              "refsource": "MISC",
              "url": "https://ics-cert.us-cert.gov/advisories/ICSA-19-094-01"
            },
            {
              "name": "https://www.zerodayinitiative.com/advisories/ZDI-19-344/",
              "refsource": "MISC",
              "url": "https://www.zerodayinitiative.com/advisories/ZDI-19-344/"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
    "assignerShortName": "icscert",
    "cveId": "CVE-2019-6556",
    "datePublished": "2019-04-10T19:48:50",
    "dateReserved": "2019-01-22T00:00:00",
    "dateUpdated": "2024-08-04T20:23:22.210Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2019-6556\",\"sourceIdentifier\":\"ics-cert@hq.dhs.gov\",\"published\":\"2019-04-10T20:29:01.210\",\"lastModified\":\"2024-11-21T04:46:41.313\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"When processing project files, the application (Omron CX-Programmer v9.70 and prior and Common Components January 2019 and prior) fails to check if it is referencing freed memory. An attacker could use a specially crafted project file to exploit and execute code under the privileges of the application.\"},{\"lang\":\"es\",\"value\":\"Al procesar archivos de proyecto, la aplicaci\u00f3n (Omron CX-Programmer v9.70 y Common Components anteriores a enero de 2019) no comprueban si hacen referencia a la memoria liberada. Un atacante podr\u00eda utilizar un archivo de proyecto especialmente dise\u00f1ado para explotar y ejecutar c\u00f3digo bajo los privilegios de la aplicaci\u00f3n.\"}],\"metrics\":{\"cvssMetricV30\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.0\",\"vectorString\":\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H\",\"baseScore\":6.6,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":4.7}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:N/C:P/I:P/A:P\",\"baseScore\":6.8,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.6,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":true}]},\"weaknesses\":[{\"source\":\"ics-cert@hq.dhs.gov\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-416\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-416\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:omron:common_components:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"2019-01\",\"matchCriteriaId\":\"8DE4E5B4-96BD-4DBE-A178-D76922555CA9\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:omron:cx-programmer:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"9.70\",\"matchCriteriaId\":\"B224AF99-2E6A-445B-9AC5-3D131A3AF5CD\"}]}]}],\"references\":[{\"url\":\"https://ics-cert.us-cert.gov/advisories/ICSA-19-094-01\",\"source\":\"ics-cert@hq.dhs.gov\",\"tags\":[\"Mitigation\",\"Third Party Advisory\",\"US Government Resource\"]},{\"url\":\"https://www.zerodayinitiative.com/advisories/ZDI-19-344/\",\"source\":\"ics-cert@hq.dhs.gov\"},{\"url\":\"https://ics-cert.us-cert.gov/advisories/ICSA-19-094-01\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mitigation\",\"Third Party Advisory\",\"US Government Resource\"]},{\"url\":\"https://www.zerodayinitiative.com/advisories/ZDI-19-344/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}"
  }
}

When processing project files, the application (Omron CX-Programmer v9.70 and prior and Common Components January 2019 and prior) fails to check if it is referencing freed memory. An attacker could use a specially crafted project file to exploit and execute code under the privileges of the application. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of OMRON CX-One CX-Programmer. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the parsing of CXP files. The issue results from the lack of validating the existence of an object prior to performing operations on the object. Omron CX-Programmer is prone to an arbitrary code-execution vulnerability. Failed attempts will likely cause a denial-of-service condition. Omron CX-Programmer version 9.70 and prior are vulnerable; other versions may also be vulnerable. Both Omron CX-Programmer and Omron Common Components are products of Omron Corporation of Japan. Omron CX-Programmer is a PLC (Programmable Logic Controller) programming software. Omron Common Components is a PLC common component. This product includes PLC tools such as I/O table, PLC memory, PLC system setup, data trace/time graph monitoring, PLC error log, file memory, PLC clock, routing table and data link table. A resource management error vulnerability exists in Omron CX-Programmer 9.70 and earlier and Common Components 2019-1 and earlier. This vulnerability stems from improper management of system resources (such as memory, disk space, files, etc.) by network systems or products

Show details on source website

JSON

To clipboard

{
  "affected_products": {
    "_id": null,
    "data": [
      {
        "_id": null,
        "model": "cx-programmer",
        "scope": "lte",
        "trust": 1.8,
        "vendor": "omron",
        "version": "9.70"
      },
      {
        "_id": null,
        "model": "common components",
        "scope": "lte",
        "trust": 1.0,
        "vendor": "omron",
        "version": "2019-01"
      },
      {
        "_id": null,
        "model": "common components",
        "scope": "lte",
        "trust": 0.8,
        "vendor": "omron",
        "version": "january 2019"
      },
      {
        "_id": null,
        "model": "cx-one",
        "scope": null,
        "trust": 0.7,
        "vendor": "omron",
        "version": null
      },
      {
        "_id": null,
        "model": "cx-programmer",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "omron",
        "version": "9.70"
      },
      {
        "_id": null,
        "model": "cx-programmer",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "omron",
        "version": "9.66"
      },
      {
        "_id": null,
        "model": "cx-programmer",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "omron",
        "version": "9.65"
      },
      {
        "_id": null,
        "model": "cx-programmer",
        "scope": "ne",
        "trust": 0.3,
        "vendor": "omron",
        "version": "9.71"
      }
    ],
    "sources": [
      {
        "db": "ZDI",
        "id": "ZDI-19-344"
      },
      {
        "db": "BID",
        "id": "107773"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2019-002360"
      },
      {
        "db": "NVD",
        "id": "CVE-2019-6556"
      }
    ]
  },
  "configurations": {
    "_id": null,
    "data": [
      {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "cpe_match": [
              {
                "cpe22Uri": "cpe:/a:omron:common_components",
                "vulnerable": true
              },
              {
                "cpe22Uri": "cpe:/a:omron:cx-programmer",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2019-002360"
      }
    ]
  },
  "credits": {
    "_id": null,
    "data": "Esteban Ruiz (mr_me) of Source Incite",
    "sources": [
      {
        "db": "ZDI",
        "id": "ZDI-19-344"
      }
    ],
    "trust": 0.7
  },
  "cve": "CVE-2019-6556",
  "cvss": {
    "_id": null,
    "data": [
      {
        "cvssV2": [
          {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "nvd@nist.gov",
            "availabilityImpact": "PARTIAL",
            "baseScore": 6.8,
            "confidentialityImpact": "PARTIAL",
            "exploitabilityScore": 8.6,
            "id": "CVE-2019-6556",
            "impactScore": 6.4,
            "integrityImpact": "PARTIAL",
            "severity": "MEDIUM",
            "trust": 1.0,
            "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          },
          {
            "acInsufInfo": null,
            "accessComplexity": "Low",
            "accessVector": "Local",
            "authentication": "None",
            "author": "JPCERT/CC",
            "availabilityImpact": "Partial",
            "baseScore": 4.6,
            "confidentialityImpact": "Partial",
            "exploitabilityScore": null,
            "id": "JVNDB-2019-002360",
            "impactScore": null,
            "integrityImpact": "Partial",
            "obtainAllPrivilege": null,
            "obtainOtherPrivilege": null,
            "obtainUserPrivilege": null,
            "severity": "Medium",
            "trust": 0.8,
            "userInteractionRequired": null,
            "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          },
          {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "VULHUB",
            "availabilityImpact": "PARTIAL",
            "baseScore": 6.8,
            "confidentialityImpact": "PARTIAL",
            "exploitabilityScore": 8.6,
            "id": "VHN-157991",
            "impactScore": 6.4,
            "integrityImpact": "PARTIAL",
            "severity": "MEDIUM",
            "trust": 0.1,
            "vectorString": "AV:N/AC:M/AU:N/C:P/I:P/A:P",
            "version": "2.0"
          }
        ],
        "cvssV3": [
          {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "author": "nvd@nist.gov",
            "availabilityImpact": "HIGH",
            "baseScore": 6.6,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "exploitabilityScore": 1.8,
            "id": "CVE-2019-6556",
            "impactScore": 4.7,
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "trust": 1.0,
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H",
            "version": "3.0"
          },
          {
            "attackComplexity": "Low",
            "attackVector": "Local",
            "author": "JPCERT/CC",
            "availabilityImpact": "High",
            "baseScore": 6.6,
            "baseSeverity": "Medium",
            "confidentialityImpact": "Low",
            "exploitabilityScore": null,
            "id": "JVNDB-2019-002360",
            "impactScore": null,
            "integrityImpact": "Low",
            "privilegesRequired": "None",
            "scope": "Unchanged",
            "trust": 0.8,
            "userInteraction": "Required",
            "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H",
            "version": "3.0"
          },
          {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "author": "ZDI",
            "availabilityImpact": "HIGH",
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "exploitabilityScore": 1.8,
            "id": "CVE-2019-6556",
            "impactScore": 5.9,
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "trust": 0.7,
            "userInteraction": "REQUIRED",
            "vectorString": "AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.0"
          }
        ],
        "severity": [
          {
            "author": "nvd@nist.gov",
            "id": "CVE-2019-6556",
            "trust": 1.0,
            "value": "MEDIUM"
          },
          {
            "author": "JPCERT/CC",
            "id": "JVNDB-2019-002360",
            "trust": 0.8,
            "value": "Medium"
          },
          {
            "author": "ZDI",
            "id": "CVE-2019-6556",
            "trust": 0.7,
            "value": "HIGH"
          },
          {
            "author": "CNNVD",
            "id": "CNNVD-201904-228",
            "trust": 0.6,
            "value": "MEDIUM"
          },
          {
            "author": "VULHUB",
            "id": "VHN-157991",
            "trust": 0.1,
            "value": "MEDIUM"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "ZDI",
        "id": "ZDI-19-344"
      },
      {
        "db": "VULHUB",
        "id": "VHN-157991"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2019-002360"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201904-228"
      },
      {
        "db": "NVD",
        "id": "CVE-2019-6556"
      }
    ]
  },
  "description": {
    "_id": null,
    "data": "When processing project files, the application (Omron CX-Programmer v9.70 and prior and Common Components January 2019 and prior) fails to check if it is referencing freed memory. An attacker could use a specially crafted project file to exploit and execute code under the privileges of the application. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of OMRON CX-One CX-Programmer. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the parsing of CXP files. The issue results from the lack of validating the existence of an object prior to performing operations on the object. Omron CX-Programmer is prone to an arbitrary code-execution vulnerability. Failed attempts will likely  cause a denial-of-service condition. \nOmron CX-Programmer version 9.70 and prior are vulnerable; other versions may also be vulnerable. Both Omron CX-Programmer and Omron Common Components are products of Omron Corporation of Japan. Omron CX-Programmer is a PLC (Programmable Logic Controller) programming software. Omron Common Components is a PLC common component. This product includes PLC tools such as I/O table, PLC memory, PLC system setup, data trace/time graph monitoring, PLC error log, file memory, PLC clock, routing table and data link table. A resource management error vulnerability exists in Omron CX-Programmer 9.70 and earlier and Common Components 2019-1 and earlier. This vulnerability stems from improper management of system resources (such as memory, disk space, files, etc.) by network systems or products",
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2019-6556"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2019-002360"
      },
      {
        "db": "ZDI",
        "id": "ZDI-19-344"
      },
      {
        "db": "BID",
        "id": "107773"
      },
      {
        "db": "VULHUB",
        "id": "VHN-157991"
      }
    ],
    "trust": 2.61
  },
  "external_ids": {
    "_id": null,
    "data": [
      {
        "db": "NVD",
        "id": "CVE-2019-6556",
        "trust": 3.5
      },
      {
        "db": "ICS CERT",
        "id": "ICSA-19-094-01",
        "trust": 2.8
      },
      {
        "db": "ZDI",
        "id": "ZDI-19-344",
        "trust": 2.4
      },
      {
        "db": "BID",
        "id": "107773",
        "trust": 1.0
      },
      {
        "db": "JVN",
        "id": "JVNVU98267543",
        "trust": 0.8
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2019-002360",
        "trust": 0.8
      },
      {
        "db": "ZDI_CAN",
        "id": "ZDI-CAN-6609",
        "trust": 0.7
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201904-228",
        "trust": 0.7
      },
      {
        "db": "AUSCERT",
        "id": "ESB-2019.1152",
        "trust": 0.6
      },
      {
        "db": "VULHUB",
        "id": "VHN-157991",
        "trust": 0.1
      }
    ],
    "sources": [
      {
        "db": "ZDI",
        "id": "ZDI-19-344"
      },
      {
        "db": "VULHUB",
        "id": "VHN-157991"
      },
      {
        "db": "BID",
        "id": "107773"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2019-002360"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201904-228"
      },
      {
        "db": "NVD",
        "id": "CVE-2019-6556"
      }
    ]
  },
  "id": "VAR-201904-0185",
  "iot": {
    "_id": null,
    "data": true,
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-157991"
      }
    ],
    "trust": 0.63087795
  },
  "last_update_date": "2024-11-23T21:52:22.055000Z",
  "patch": {
    "_id": null,
    "data": [
      {
        "title": "CX-One \u30d0\u30fc\u30b8\u30e7\u30f3\u30a2\u30c3\u30d7 \u30d7\u30ed\u30b0\u30e9\u30e0 \u30c0\u30a6\u30f3\u30ed\u30fc\u30c9",
        "trust": 0.8,
        "url": "https://www.fa.omron.co.jp/product/tool/26/cxone/one1.html"
      },
      {
        "title": "CX-Programmer \u306e\u66f4\u65b0\u5185\u5bb9 | Ver.9.71 : CX-One\u30aa\u30fc\u30c8\u30a2\u30c3\u30d7\u30c7\u30fc\u30c8\uff08V4\u5411\u3051_2019\u5e744\u6708\uff09",
        "trust": 0.8,
        "url": "https://www.fa.omron.co.jp/product/tool/26/cxone/j4_doc.html#cx_programmer"
      },
      {
        "title": "\u5171\u901a\u30e2\u30b8\u30e5\u30fc\u30eb \u306e\u66f4\u65b0\u5185\u5bb9 | \u2212 \uff1aCX-One\u30aa\u30fc\u30c8\u30a2\u30c3\u30d7\u30c7\u30fc\u30c8\uff08V4\u5411\u3051_2019\u5e744\u6708\uff09",
        "trust": 0.8,
        "url": "https://www.fa.omron.co.jp/product/tool/26/cxone/j4_doc.html#common_module"
      },
      {
        "title": "Omron has issued an update to correct this vulnerability.",
        "trust": 0.7,
        "url": "https://ics-cert.us-cert.gov/advisories/ICSA-19-094-01"
      },
      {
        "title": "Omron CX-Programmer Security vulnerabilities",
        "trust": 0.6,
        "url": "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=91096"
      }
    ],
    "sources": [
      {
        "db": "ZDI",
        "id": "ZDI-19-344"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2019-002360"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201904-228"
      }
    ]
  },
  "problemtype_data": {
    "_id": null,
    "data": [
      {
        "problemtype": "CWE-416",
        "trust": 1.9
      }
    ],
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-157991"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2019-002360"
      },
      {
        "db": "NVD",
        "id": "CVE-2019-6556"
      }
    ]
  },
  "references": {
    "_id": null,
    "data": [
      {
        "trust": 3.5,
        "url": "https://ics-cert.us-cert.gov/advisories/icsa-19-094-01"
      },
      {
        "trust": 1.7,
        "url": "https://www.zerodayinitiative.com/advisories/zdi-19-344/"
      },
      {
        "trust": 1.4,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2019-6556"
      },
      {
        "trust": 1.2,
        "url": "http://www.securityfocus.com/bid/107773"
      },
      {
        "trust": 0.9,
        "url": "https://industrial.omron.us/en/home"
      },
      {
        "trust": 0.8,
        "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-6556"
      },
      {
        "trust": 0.8,
        "url": "https://jvn.jp/vu/jvnvu98267543/"
      },
      {
        "trust": 0.6,
        "url": "https://www.auscert.org.au/bulletins/78474"
      }
    ],
    "sources": [
      {
        "db": "ZDI",
        "id": "ZDI-19-344"
      },
      {
        "db": "VULHUB",
        "id": "VHN-157991"
      },
      {
        "db": "BID",
        "id": "107773"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2019-002360"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201904-228"
      },
      {
        "db": "NVD",
        "id": "CVE-2019-6556"
      }
    ]
  },
  "sources": {
    "_id": null,
    "data": [
      {
        "db": "ZDI",
        "id": "ZDI-19-344",
        "ident": null
      },
      {
        "db": "VULHUB",
        "id": "VHN-157991",
        "ident": null
      },
      {
        "db": "BID",
        "id": "107773",
        "ident": null
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2019-002360",
        "ident": null
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201904-228",
        "ident": null
      },
      {
        "db": "NVD",
        "id": "CVE-2019-6556",
        "ident": null
      }
    ]
  },
  "sources_release_date": {
    "_id": null,
    "data": [
      {
        "date": "2019-04-15T00:00:00",
        "db": "ZDI",
        "id": "ZDI-19-344",
        "ident": null
      },
      {
        "date": "2019-04-10T00:00:00",
        "db": "VULHUB",
        "id": "VHN-157991",
        "ident": null
      },
      {
        "date": "2019-04-04T00:00:00",
        "db": "BID",
        "id": "107773",
        "ident": null
      },
      {
        "date": "2019-04-08T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2019-002360",
        "ident": null
      },
      {
        "date": "2019-04-04T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-201904-228",
        "ident": null
      },
      {
        "date": "2019-04-10T20:29:01.210000",
        "db": "NVD",
        "id": "CVE-2019-6556",
        "ident": null
      }
    ]
  },
  "sources_update_date": {
    "_id": null,
    "data": [
      {
        "date": "2019-04-15T00:00:00",
        "db": "ZDI",
        "id": "ZDI-19-344",
        "ident": null
      },
      {
        "date": "2019-04-15T00:00:00",
        "db": "VULHUB",
        "id": "VHN-157991",
        "ident": null
      },
      {
        "date": "2019-04-04T00:00:00",
        "db": "BID",
        "id": "107773",
        "ident": null
      },
      {
        "date": "2019-09-30T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2019-002360",
        "ident": null
      },
      {
        "date": "2019-04-16T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-201904-228",
        "ident": null
      },
      {
        "date": "2024-11-21T04:46:41.313000",
        "db": "NVD",
        "id": "CVE-2019-6556",
        "ident": null
      }
    ]
  },
  "threat_type": {
    "_id": null,
    "data": "local",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-201904-228"
      }
    ],
    "trust": 0.6
  },
  "title": {
    "_id": null,
    "data": "OMRON  CX-One Free memory usage vulnerability",
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2019-002360"
      }
    ],
    "trust": 0.8
  },
  "type": {
    "_id": null,
    "data": "resource management error",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-201904-228"
      }
    ],
    "trust": 0.6
  }
}

fkie_cve-2019-6556

Vulnerability from fkie_nvd

Published

2019-04-10 20:29

Modified

2024-11-21 04:46

Severity ?

6.6 (Medium) - CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H

Summary

References

URL	Tags
ics-cert@hq.dhs.gov	https://ics-cert.us-cert.gov/advisories/ICSA-19-094-01	Mitigation, Third Party Advisory, US Government Resource
ics-cert@hq.dhs.gov	https://www.zerodayinitiative.com/advisories/ZDI-19-344/
af854a3a-2127-422b-91ae-364da2661108	https://ics-cert.us-cert.gov/advisories/ICSA-19-094-01	Mitigation, Third Party Advisory, US Government Resource
af854a3a-2127-422b-91ae-364da2661108	https://www.zerodayinitiative.com/advisories/ZDI-19-344/

Impacted products

	Vendor	Product	Version
	omron	common_components	*
	omron	cx-programmer	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:omron:common_components:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "8DE4E5B4-96BD-4DBE-A178-D76922555CA9",
              "versionEndIncluding": "2019-01",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:omron:cx-programmer:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "B224AF99-2E6A-445B-9AC5-3D131A3AF5CD",
              "versionEndIncluding": "9.70",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "When processing project files, the application (Omron CX-Programmer v9.70 and prior and Common Components January 2019 and prior) fails to check if it is referencing freed memory. An attacker could use a specially crafted project file to exploit and execute code under the privileges of the application."
    },
    {
      "lang": "es",
      "value": "Al procesar archivos de proyecto, la aplicaci\u00f3n (Omron CX-Programmer v9.70 y Common Components anteriores a enero de 2019) no comprueban si hacen referencia a la memoria liberada. Un atacante podr\u00eda utilizar un archivo de proyecto especialmente dise\u00f1ado para explotar y ejecutar c\u00f3digo bajo los privilegios de la aplicaci\u00f3n."
    }
  ],
  "id": "CVE-2019-6556",
  "lastModified": "2024-11-21T04:46:41.313",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "MEDIUM",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 6.8,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 8.6,
        "impactScore": 6.4,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": true
      }
    ],
    "cvssMetricV30": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "HIGH",
          "baseScore": 6.6,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H",
          "version": "3.0"
        },
        "exploitabilityScore": 1.8,
        "impactScore": 4.7,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2019-04-10T20:29:01.210",
  "references": [
    {
      "source": "ics-cert@hq.dhs.gov",
      "tags": [
        "Mitigation",
        "Third Party Advisory",
        "US Government Resource"
      ],
      "url": "https://ics-cert.us-cert.gov/advisories/ICSA-19-094-01"
    },
    {
      "source": "ics-cert@hq.dhs.gov",
      "url": "https://www.zerodayinitiative.com/advisories/ZDI-19-344/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mitigation",
        "Third Party Advisory",
        "US Government Resource"
      ],
      "url": "https://ics-cert.us-cert.gov/advisories/ICSA-19-094-01"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://www.zerodayinitiative.com/advisories/ZDI-19-344/"
    }
  ],
  "sourceIdentifier": "ics-cert@hq.dhs.gov",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-416"
        }
      ],
      "source": "ics-cert@hq.dhs.gov",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-416"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

ICSA-19-094-01

Vulnerability from csaf_cisa

Published

2019-04-04 00:00

Modified

2019-04-04 00:00

Summary

Omron CX-Programmer

Notes

CISA Disclaimer

This CSAF advisory was extracted from unstructured data and may contain inaccuracies. If you notice any errors, please reach out to the designated contact at CISA CSAF: central@cisa.dhs.gov

Legal Notice

All information products included in https://us-cert.cisa.gov/ics are provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/.

Risk evaluation

Successful exploitation of this vulnerability could allow an attacker to execute code under the privileges of the application.

Critical infrastructure sectors

Critical Manufacturing

Countries/areas deployed

Worldwide

Company headquarters location

Japan

Recommended Practices

NCCIC recommends that users take the following measures to protect themselves from social engineering attacks:

Recommended Practices

NCCIC also recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:

Recommended Practices

NCCIC reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.NCCIC also provides a section for control systems security recommended practices on the ICS-CERT web page. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Recommended Practices

Additional mitigation guidance and recommended practices are publicly available on the ICS-CERT website in the Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to NCCIC for tracking and correlation against other incidents.

Exploitability

No known public exploits specifically target this vulnerability. This vulnerability is not exploitable remotely.

JSON

To clipboard

{
  "document": {
    "acknowledgments": [
      {
        "names": [
          "Esteban Ruiz (mr_me)"
        ],
        "organization": "Source Incite",
        "summary": "reporting this vulnerability to NCCIC"
      },
      {
        "organization": "Trend Micro \u0027s Zero Day Initiative",
        "summary": "reporting this vulnerability to NCCIC"
      }
    ],
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Disclosure is not limited",
      "tlp": {
        "label": "WHITE",
        "url": "https://us-cert.cisa.gov/tlp/"
      }
    },
    "lang": "en-US",
    "notes": [
      {
        "category": "general",
        "text": "This CSAF advisory was extracted from unstructured data and may contain inaccuracies. If you notice any errors, please reach out to the designated contact at CISA CSAF: central@cisa.dhs.gov",
        "title": "CISA Disclaimer"
      },
      {
        "category": "legal_disclaimer",
        "text": "All information products included in https://us-cert.cisa.gov/ics are provided \"as is\" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/.",
        "title": "Legal Notice"
      },
      {
        "category": "summary",
        "text": "Successful exploitation of this vulnerability could allow an attacker to execute code under the privileges of the application.",
        "title": "Risk evaluation"
      },
      {
        "category": "other",
        "text": "Critical Manufacturing",
        "title": "Critical infrastructure sectors"
      },
      {
        "category": "other",
        "text": "Worldwide",
        "title": "Countries/areas deployed"
      },
      {
        "category": "other",
        "text": "Japan",
        "title": "Company headquarters location"
      },
      {
        "category": "general",
        "text": "NCCIC recommends that users take the following measures to protect themselves from social engineering attacks:",
        "title": "Recommended Practices"
      },
      {
        "category": "general",
        "text": "NCCIC also recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:",
        "title": "Recommended Practices"
      },
      {
        "category": "general",
        "text": "NCCIC reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.NCCIC also provides a section for control systems security recommended practices on the ICS-CERT web page. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.",
        "title": "Recommended Practices"
      },
      {
        "category": "general",
        "text": "Additional mitigation guidance and recommended practices are publicly available on the ICS-CERT website in the Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to NCCIC for tracking and correlation against other incidents.",
        "title": "Recommended Practices"
      },
      {
        "category": "other",
        "text": "No known public exploits specifically target this vulnerability. This vulnerability is not exploitable remotely.",
        "title": "Exploitability"
      }
    ],
    "publisher": {
      "category": "coordinator",
      "contact_details": "Email: CISAservicedesk@cisa.dhs.gov;\n Toll Free: 1-888-282-0870",
      "name": "CISA",
      "namespace": "https://www.cisa.gov/"
    },
    "references": [
      {
        "category": "self",
        "summary": "ICS Advisory ICSA-19-094-01 JSON",
        "url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/OT/white/2019/icsa-19-094-01.json"
      },
      {
        "category": "self",
        "summary": "ICS Advisory ICSA-19-094-01 Web Version",
        "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-19-094-01"
      },
      {
        "category": "external",
        "summary": "Recommended Practices",
        "url": "https://www.cisa.gov/uscert/ics/alerts/ICS-ALERT-10-301-01"
      },
      {
        "category": "external",
        "summary": "Recommended Practices",
        "url": "https://www.cisa.gov/uscert/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf"
      },
      {
        "category": "external",
        "summary": "Recommended Practices",
        "url": "https://www.cisa.gov/uscert/ics/tips/ICS-TIP-12-146-01B"
      }
    ],
    "title": "Omron CX-Programmer",
    "tracking": {
      "current_release_date": "2019-04-04T00:00:00.000000Z",
      "generator": {
        "engine": {
          "name": "CISA CSAF Generator",
          "version": "1.0.0"
        }
      },
      "id": "ICSA-19-094-01",
      "initial_release_date": "2019-04-04T00:00:00.000000Z",
      "revision_history": [
        {
          "date": "2019-04-04T00:00:00.000000Z",
          "legacy_version": "Initial",
          "number": "1",
          "summary": "ICSA-19-094-01 Omron CX-Programmer"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c= 9.70",
                "product": {
                  "name": "CX-Programmer: v9.70 and prior",
                  "product_id": "CSAFPID-0001"
                }
              }
            ],
            "category": "product_name",
            "name": "CX-Programmer"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c= January 2019",
                "product": {
                  "name": "Common Components: January 2019 and prior",
                  "product_id": "CSAFPID-0002"
                }
              }
            ],
            "category": "product_name",
            "name": "Common Components"
          }
        ],
        "category": "vendor",
        "name": "Omron"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2019-6556",
      "cwe": {
        "id": "CWE-416",
        "name": "Use After Free"
      },
      "notes": [
        {
          "category": "summary",
          "text": "When processing project files, the application fails to check if it is referencing freed memory. An attacker could use a specially crafted project file to exploit and execute code under the privileges of the application.CVE-2019-6556 has been assigned to this vulnerability. A CVSS v3 base score of 6.6 has been assigned; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H).",
          "title": "Vulnerability Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-0001",
          "CSAFPID-0002"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "web.nvd.nist.gov",
          "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-6556"
        },
        {
          "category": "external",
          "summary": "www.first.org",
          "url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H"
        }
      ],
      "remediations": [
        {
          "category": "mitigation",
          "details": "Omron has released an updated version of CX-One to address the vulnerability. This release is available through the CX-One auto-update service.",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002"
          ]
        },
        {
          "category": "mitigation",
          "details": "CX-Programmer Version 9.71",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002"
          ]
        },
        {
          "category": "vendor_fix",
          "details": "Common Components April 2019",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 6.6,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H",
            "version": "3.0"
          },
          "products": [
            "CSAFPID-0001",
            "CSAFPID-0002"
          ]
        }
      ]
    }
  ]
}

icsa-19-094-01

Vulnerability from csaf_cisa

Published

2019-04-04 00:00

Modified

2019-04-04 00:00

Summary

Omron CX-Programmer

Notes

CISA Disclaimer

This CSAF advisory was extracted from unstructured data and may contain inaccuracies. If you notice any errors, please reach out to the designated contact at CISA CSAF: central@cisa.dhs.gov

Legal Notice

Risk evaluation

Successful exploitation of this vulnerability could allow an attacker to execute code under the privileges of the application.

Critical infrastructure sectors

Critical Manufacturing

Countries/areas deployed

Worldwide

Company headquarters location

Japan

Recommended Practices

NCCIC recommends that users take the following measures to protect themselves from social engineering attacks:

Recommended Practices

NCCIC also recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:

Recommended Practices

Exploitability

No known public exploits specifically target this vulnerability. This vulnerability is not exploitable remotely.

JSON

To clipboard

{
  "document": {
    "acknowledgments": [
      {
        "names": [
          "Esteban Ruiz (mr_me)"
        ],
        "organization": "Source Incite",
        "summary": "reporting this vulnerability to NCCIC"
      },
      {
        "organization": "Trend Micro \u0027s Zero Day Initiative",
        "summary": "reporting this vulnerability to NCCIC"
      }
    ],
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Disclosure is not limited",
      "tlp": {
        "label": "WHITE",
        "url": "https://us-cert.cisa.gov/tlp/"
      }
    },
    "lang": "en-US",
    "notes": [
      {
        "category": "general",
        "text": "This CSAF advisory was extracted from unstructured data and may contain inaccuracies. If you notice any errors, please reach out to the designated contact at CISA CSAF: central@cisa.dhs.gov",
        "title": "CISA Disclaimer"
      },
      {
        "category": "legal_disclaimer",
        "text": "All information products included in https://us-cert.cisa.gov/ics are provided \"as is\" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/.",
        "title": "Legal Notice"
      },
      {
        "category": "summary",
        "text": "Successful exploitation of this vulnerability could allow an attacker to execute code under the privileges of the application.",
        "title": "Risk evaluation"
      },
      {
        "category": "other",
        "text": "Critical Manufacturing",
        "title": "Critical infrastructure sectors"
      },
      {
        "category": "other",
        "text": "Worldwide",
        "title": "Countries/areas deployed"
      },
      {
        "category": "other",
        "text": "Japan",
        "title": "Company headquarters location"
      },
      {
        "category": "general",
        "text": "NCCIC recommends that users take the following measures to protect themselves from social engineering attacks:",
        "title": "Recommended Practices"
      },
      {
        "category": "general",
        "text": "NCCIC also recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:",
        "title": "Recommended Practices"
      },
      {
        "category": "general",
        "text": "NCCIC reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.NCCIC also provides a section for control systems security recommended practices on the ICS-CERT web page. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.",
        "title": "Recommended Practices"
      },
      {
        "category": "general",
        "text": "Additional mitigation guidance and recommended practices are publicly available on the ICS-CERT website in the Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to NCCIC for tracking and correlation against other incidents.",
        "title": "Recommended Practices"
      },
      {
        "category": "other",
        "text": "No known public exploits specifically target this vulnerability. This vulnerability is not exploitable remotely.",
        "title": "Exploitability"
      }
    ],
    "publisher": {
      "category": "coordinator",
      "contact_details": "Email: CISAservicedesk@cisa.dhs.gov;\n Toll Free: 1-888-282-0870",
      "name": "CISA",
      "namespace": "https://www.cisa.gov/"
    },
    "references": [
      {
        "category": "self",
        "summary": "ICS Advisory ICSA-19-094-01 JSON",
        "url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/OT/white/2019/icsa-19-094-01.json"
      },
      {
        "category": "self",
        "summary": "ICS Advisory ICSA-19-094-01 Web Version",
        "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-19-094-01"
      },
      {
        "category": "external",
        "summary": "Recommended Practices",
        "url": "https://www.cisa.gov/uscert/ics/alerts/ICS-ALERT-10-301-01"
      },
      {
        "category": "external",
        "summary": "Recommended Practices",
        "url": "https://www.cisa.gov/uscert/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf"
      },
      {
        "category": "external",
        "summary": "Recommended Practices",
        "url": "https://www.cisa.gov/uscert/ics/tips/ICS-TIP-12-146-01B"
      }
    ],
    "title": "Omron CX-Programmer",
    "tracking": {
      "current_release_date": "2019-04-04T00:00:00.000000Z",
      "generator": {
        "engine": {
          "name": "CISA CSAF Generator",
          "version": "1.0.0"
        }
      },
      "id": "ICSA-19-094-01",
      "initial_release_date": "2019-04-04T00:00:00.000000Z",
      "revision_history": [
        {
          "date": "2019-04-04T00:00:00.000000Z",
          "legacy_version": "Initial",
          "number": "1",
          "summary": "ICSA-19-094-01 Omron CX-Programmer"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c= 9.70",
                "product": {
                  "name": "CX-Programmer: v9.70 and prior",
                  "product_id": "CSAFPID-0001"
                }
              }
            ],
            "category": "product_name",
            "name": "CX-Programmer"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c= January 2019",
                "product": {
                  "name": "Common Components: January 2019 and prior",
                  "product_id": "CSAFPID-0002"
                }
              }
            ],
            "category": "product_name",
            "name": "Common Components"
          }
        ],
        "category": "vendor",
        "name": "Omron"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2019-6556",
      "cwe": {
        "id": "CWE-416",
        "name": "Use After Free"
      },
      "notes": [
        {
          "category": "summary",
          "text": "When processing project files, the application fails to check if it is referencing freed memory. An attacker could use a specially crafted project file to exploit and execute code under the privileges of the application.CVE-2019-6556 has been assigned to this vulnerability. A CVSS v3 base score of 6.6 has been assigned; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H).",
          "title": "Vulnerability Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-0001",
          "CSAFPID-0002"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "web.nvd.nist.gov",
          "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-6556"
        },
        {
          "category": "external",
          "summary": "www.first.org",
          "url": "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H"
        }
      ],
      "remediations": [
        {
          "category": "mitigation",
          "details": "Omron has released an updated version of CX-One to address the vulnerability. This release is available through the CX-One auto-update service.",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002"
          ]
        },
        {
          "category": "mitigation",
          "details": "CX-Programmer Version 9.71",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002"
          ]
        },
        {
          "category": "vendor_fix",
          "details": "Common Components April 2019",
          "product_ids": [
            "CSAFPID-0001",
            "CSAFPID-0002"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 6.6,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H",
            "version": "3.0"
          },
          "products": [
            "CSAFPID-0001",
            "CSAFPID-0002"
          ]
        }
      ]
    }
  ]
}

gsd-2019-6556

Vulnerability from gsd

Modified

2023-12-13 01:23

Details

Aliases

CVE-2019-6556

Aliases

CVE-2019-6556

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2019-6556",
    "description": "When processing project files, the application (Omron CX-Programmer v9.70 and prior and Common Components January 2019 and prior) fails to check if it is referencing freed memory. An attacker could use a specially crafted project file to exploit and execute code under the privileges of the application.",
    "id": "GSD-2019-6556"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2019-6556"
      ],
      "details": "When processing project files, the application (Omron CX-Programmer v9.70 and prior and Common Components January 2019 and prior) fails to check if it is referencing freed memory. An attacker could use a specially crafted project file to exploit and execute code under the privileges of the application.",
      "id": "GSD-2019-6556",
      "modified": "2023-12-13T01:23:49.242798Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "ics-cert@hq.dhs.gov",
        "ID": "CVE-2019-6556",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "CX-Programmer within CX-One",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "CX-Programmer v9.70 and prior and Common Components January 2019 and prior"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "Omron"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "When processing project files, the application (Omron CX-Programmer v9.70 and prior and Common Components January 2019 and prior) fails to check if it is referencing freed memory. An attacker could use a specially crafted project file to exploit and execute code under the privileges of the application."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "USE AFTER FREE CWE-416"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://ics-cert.us-cert.gov/advisories/ICSA-19-094-01",
            "refsource": "MISC",
            "url": "https://ics-cert.us-cert.gov/advisories/ICSA-19-094-01"
          },
          {
            "name": "https://www.zerodayinitiative.com/advisories/ZDI-19-344/",
            "refsource": "MISC",
            "url": "https://www.zerodayinitiative.com/advisories/ZDI-19-344/"
          }
        ]
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:omron:common_components:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndIncluding": "2019-01",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:omron:cx-programmer:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndIncluding": "9.70",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "ics-cert@hq.dhs.gov",
          "ID": "CVE-2019-6556"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "When processing project files, the application (Omron CX-Programmer v9.70 and prior and Common Components January 2019 and prior) fails to check if it is referencing freed memory. An attacker could use a specially crafted project file to exploit and execute code under the privileges of the application."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-416"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://ics-cert.us-cert.gov/advisories/ICSA-19-094-01",
              "refsource": "MISC",
              "tags": [
                "Mitigation",
                "US Government Resource",
                "Third Party Advisory"
              ],
              "url": "https://ics-cert.us-cert.gov/advisories/ICSA-19-094-01"
            },
            {
              "name": "https://www.zerodayinitiative.com/advisories/ZDI-19-344/",
              "refsource": "MISC",
              "tags": [],
              "url": "https://www.zerodayinitiative.com/advisories/ZDI-19-344/"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 6.8,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          },
          "exploitabilityScore": 8.6,
          "impactScore": 6.4,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": true
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 6.6,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H",
            "version": "3.0"
          },
          "exploitabilityScore": 1.8,
          "impactScore": 4.7
        }
      },
      "lastModifiedDate": "2019-04-15T12:31Z",
      "publishedDate": "2019-04-10T20:29Z"
    }
  }
}

ghsa-vv73-vf82-3769

Vulnerability from github

Published

2022-05-14 01:10

Modified

2022-05-14 01:10

Severity ?

6.6 (Medium) - CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H

Details

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2019-6556"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-04-10T20:29:00Z",
    "severity": "MODERATE"
  },
  "details": "When processing project files, the application (Omron CX-Programmer v9.70 and prior and Common Components January 2019 and prior) fails to check if it is referencing freed memory. An attacker could use a specially crafted project file to exploit and execute code under the privileges of the application.",
  "id": "GHSA-vv73-vf82-3769",
  "modified": "2022-05-14T01:10:37Z",
  "published": "2022-05-14T01:10:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-6556"
    },
    {
      "type": "WEB",
      "url": "https://ics-cert.us-cert.gov/advisories/ICSA-19-094-01"
    },
    {
      "type": "WEB",
      "url": "https://www.zerodayinitiative.com/advisories/ZDI-19-344"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

cve-2019-6556

Vulnerability from cvelistv5

var-201904-0185

Vulnerability from variot

fkie_cve-2019-6556

Vulnerability from fkie_nvd

ICSA-19-094-01

Vulnerability from csaf_cisa

icsa-19-094-01

Vulnerability from csaf_cisa

gsd-2019-6556

Vulnerability from gsd

ghsa-vv73-vf82-3769

Vulnerability from github

Tags

Sightings

Nomenclature