1. EXECUTIVE SUMMARY
- CVSS v3 7.8
- ATTENTION: Low attack complexity
- Vendor: Rockwell Automation
- Equipment: AADvance Trusted SIS Workstation
- Vulnerabilities: Improper Input Validation
2. RISK EVALUATION
Successful exploitation of these vulnerabilities could result in an attacker executing code within the context of a current process.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following versions of AADvance Trusted SIS Workstation, a manufacturing controller management suite, are affected:
- AADvance Trusted SIS Workstation: 2.00.01 and prior
3.2 Vulnerability Overview
3.2.1 IMPROPER INPUT VALIDATION CWE-20
A vulnerability exists which could allow remote threat actors to execute arbitrary code on affected installations of 7-Zip. User interaction is required to exploit this vulnerability because the target must visit a malicious page or open a malicious file. The specific vulnerability exists in the analysis of 7Z files. The problem results from the lack of proper validation of user-supplied data, which can lead to an integer underflow before writing to memory. A threat actor can exploit this vulnerability to execute code in the context of the current process.
CVE-2023-31102 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
3.2.2 Out-of-bounds Write CWE-787
A SquashFS File Parsing Out-Of-Bounds Write Remote Code Execution exists in 7-Zip that allows remote threat actors to execute arbitrary cod
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: