製品・ソフトウェアに関する情報

JVN脆弱性詳細

ISSymbol 仮想マシンの ISSymbol ActiveX コントロールにおけるバッファオーバーフローの脆弱性

Title	ISSymbol 仮想マシンの ISSymbol ActiveX コントロールにおけるバッファオーバーフローの脆弱性
Summary	Advantech Studio、InduSoft Web Studio、および InduSoft Thin Client でディストリービューションされている ISSymbol 仮想マシンの ISSymbol.ocx のISSymbol ActiveX コントロールには、バッファオーバーフローの脆弱性が存在します。
Possible impacts	第三者により、以下を介して、任意のコードを実行される可能性があります。 (1) 過度に長い InternationalOrder プロパティ値 (2) 過度に長い InternationalSeparator プロパティ値 (3) 過度に長い LogFileName プロパティ値 (4) OpenScreen.メソッドへの過度に長い bstrFileName 引数
Solution	ベンダ情報および参考情報を参照して適切な対策を実施してください。
Publication Date	May 4, 2011, midnight
Registration Date	March 27, 2012, 6:42 p.m.
Last Update	April 6, 2016, 5:24 p.m.

Affected System

アドバンテック株式会社

Advantech Studio 6.1:sp6_61.6.01.05

Schneider Electric

InduSoft Web Studio 7.0+SP1 未満

Thin Client 7.0

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2011-0340	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0340
National Vulnerability Database (NVD)
2	CVE-2011-0340	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0340

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-119	https://jvndb.jvn.jp/ja/cwe/CWE-119.html

ベンダー情報

No	Name	URL
Advantech
1	Advantech Studio ISSymbol ActiveX Buffer Overflow	http://www.advantechdirect.com/eMarketingPrograms/AStudio_Patch/AStudio7.0_Patch_Final.htm
2	Top Page	http://www.advantech.com/products/
Schneider Electric
3	Security Updates and Hotfixes	http://www.indusoft.com/Login?returnurl=%2fProducts-Downloads%2fSecurity-Hotfix-Updates

その他

No	Name	URL
ICS-CERT ADVISORY
1	ICSA-11-168-01A	http://www.us-cert.gov/control_systems/pdf/ICSA-11-168-01A.pdf
2	ICSA-12-137-02	http://www.us-cert.gov/control_systems/pdf/ICSA-12-137-02.pdf
3	ICSA-12-249-03	https://ics-cert.us-cert.gov/advisories/ICSA-12-249-03
ICS-CERT ALERT
4	ICS-ALERT-11-131-01	http://www.us-cert.gov/control_systems/pdf/ICS-ALERT-11-131-01.pdf

Change Log

No	Changed Details	Date of change
0	[2012年03月27日] 掲載 [2016年04月06日] ベンダ情報：アドバンテック株式会社 (Advantech Studio ISSymbol ActiveX Buffer Overflow) を追加参考情報：CS-CERT ADVISORY (ICSA-12-249-03) を追加	Feb. 17, 2018, 10:37 a.m.

NVD Vulnerability Information

CVE-2011-0340

Summary	Multiple buffer overflows in the ISSymbol ActiveX control in ISSymbol.ocx 61.6.0.0 and 301.1009.2904.0 in the ISSymbol virtual machine, as distributed in Advantech Studio 6.1 SP6 61.6.01.05, InduSoft Web Studio before 7.0+SP1, and InduSoft Thin Client 7.0, allow remote attackers to execute arbitrary code via a long (1) InternationalOrder, (2) InternationalSeparator, or (3) LogFileName property value; or (4) a long bstrFileName argument to the OpenScreen method.
Publication Date	May 5, 2011, 7:55 a.m.
Registration Date	Jan. 28, 2021, 4:37 p.m.
Last Update	Nov. 21, 2024, 10:23 a.m.

Affected software configurations

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:indusoft:web_studio:6.1:::::::*
cpe:2.3:a:indusoft:thin_client:7.0:::::::*
cpe:2.3:a:advantech:advantech_studio:6.1:sp6_61.6.01.05::::::
cpe:2.3:a:indusoft:web_studio::::::::		7.0
cpe:2.3:a:indusoft:web_studio:6.1:sp6::::::

Related information, measures and tools

No	URL	タグ
1	http://ics-cert.us-cert.gov/advisories/ICSA-12-249-03
2	http://secunia.com/advisories/42928	Vendor Advisory
3	http://secunia.com/advisories/43116	Vendor Advisory
4	http://secunia.com/secunia_research/2011-36/	Vendor Advisory
5	http://secunia.com/secunia_research/2011-37/	Vendor Advisory
6	http://www.advantechdirect.com/eMarketingPrograms/AStudio_Patch/AStudio7.0_Patch_Final.htm
7	http://www.indusoft.com/hotfixes/hotfixes.php
8	http://www.securityfocus.com/bid/47596
9	http://www.us-cert.gov/control_systems/pdf/ICSA-12-137-02.pdf
10	http://www.vupen.com/english/advisories/2011/1115	Vendor Advisory
11	http://www.vupen.com/english/advisories/2011/1116	Vendor Advisory
12	http://ics-cert.us-cert.gov/advisories/ICSA-12-249-03
13	http://www.vupen.com/english/advisories/2011/1116	Vendor Advisory
14	http://www.vupen.com/english/advisories/2011/1115	Vendor Advisory
15	http://www.us-cert.gov/control_systems/pdf/ICSA-12-137-02.pdf
16	http://www.securityfocus.com/bid/47596
17	http://www.indusoft.com/hotfixes/hotfixes.php
18	http://www.advantechdirect.com/eMarketingPrograms/AStudio_Patch/AStudio7.0_Patch_Final.htm
19	http://secunia.com/secunia_research/2011-37/	Vendor Advisory
20	http://secunia.com/secunia_research/2011-36/	Vendor Advisory
21	http://secunia.com/advisories/43116	Vendor Advisory
22	http://secunia.com/advisories/42928	Vendor Advisory

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-119	バッファエラー	https://cwe.mitre.org/data/definitions/118.html