1. EXECUTIVE SUMMARY
- CVSS v3 7.8
- ATTENTION: Low Attack Complexity
- Vendor: Schneider Electric
- Equipment: EcoStruxure Foxboro DCS Core Control Services
- Vulnerabilities: Out-of-bounds Write, Improper Validation of Array Index, Improper Input Validation
2. RISK EVALUATION
Successful exploitation of these vulnerabilities could lead to a loss of system functionality or unauthorized access to system functions.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
Schneider Electric reports that the following products are affected:
- EcoStruxure Foxboro DCS Core Control Services: Versions 9.8 and prior
3.2 VULNERABILITY OVERVIEW
3.2.1 OUT-OF-BOUNDS WRITE CWE-787
An out-of-bounds write vulnerability exists that could cause local denial of service, or kernel memory leak when a malicious actor with local user access crafts a script/program using an IOCTL call in the Foxboro.sys driver.
CVE-2024-5679 has been assigned to this vulnerability. A CVSS v3 base score of 7.1 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H).
3.2.2 IMPROPER VALIDATION OF ARRAY INDEX CWE-129
An improper validation of array index vulnerability exists that could cause local denial of service when a malicious actor with local user access crafts a script/program using an IOCTL call in the Foxboro.sys driver.
CVE-2024-5680 has been assigned to this vulnerability. A CVSS v3 base score of 7.1 has been assigned; the CV
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: