CVE-2011-0340 — HIGH (9.3) — White Hats Nepal

Q: How severe is CVE-2011-0340?

CVE-2011-0340 has been rated HIGH with a CVSS base score of 9.3/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2011-0340?

Check the references section above for vendor advisories and patch information. Affected products include: Advantech Advantech Studio, Indusoft Thin Client, Indusoft Web Studio.

Vulnerability Description

Multiple buffer overflows in the ISSymbol ActiveX control in ISSymbol.ocx 61.6.0.0 and 301.1009.2904.0 in the ISSymbol virtual machine, as distributed in Advantech Studio 6.1 SP6 61.6.01.05, InduSoft Web Studio before 7.0+SP1, and InduSoft Thin Client 7.0, allow remote attackers to execute arbitrary code via a long (1) InternationalOrder, (2) InternationalSeparator, or (3) LogFileName property value; or (4) a long bstrFileName argument to the OpenScreen method.

CVSS Score

9.3

HIGH

AV:N/AC:M/Au:N/C:C/I:C/A:C

Confidentiality

COMPLETE

Integrity

COMPLETE

Availability

COMPLETE

Affected Products

Vendor	Product	Versions
Advantech	Advantech Studio	6.1
Indusoft	Thin Client	7.0
Indusoft	Web Studio	<= 7.0

Related Weaknesses (CWE)

CWE-119

References

http://ics-cert.us-cert.gov/advisories/ICSA-12-249-03
http://secunia.com/advisories/42928Vendor Advisory
http://secunia.com/advisories/43116Vendor Advisory
http://secunia.com/secunia_research/2011-36/Vendor Advisory
http://secunia.com/secunia_research/2011-37/Vendor Advisory
http://www.advantechdirect.com/eMarketingPrograms/AStudio_Patch/AStudio7.0_Patch
http://www.indusoft.com/hotfixes/hotfixes.php
http://www.securityfocus.com/bid/47596
http://www.us-cert.gov/control_systems/pdf/ICSA-12-137-02.pdf
http://www.vupen.com/english/advisories/2011/1115Vendor Advisory
http://www.vupen.com/english/advisories/2011/1116Vendor Advisory
http://ics-cert.us-cert.gov/advisories/ICSA-12-249-03
http://secunia.com/advisories/42928Vendor Advisory
http://secunia.com/advisories/43116Vendor Advisory
http://secunia.com/secunia_research/2011-36/Vendor Advisory

FAQ

What is CVE-2011-0340?

CVE-2011-0340 is a vulnerability with a CVSS score of 9.3 (HIGH). Multiple buffer overflows in the ISSymbol ActiveX control in ISSymbol.ocx 61.6.0.0 and 301.1009.2904.0 in the ISSymbol virtual machine, as distributed in Advantech Studio 6.1 SP6 61.6.01.05, InduSoft ...

How severe is CVE-2011-0340?

CVE-2011-0340 has been rated HIGH with a CVSS base score of 9.3/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2011-0340?

Check the references section above for vendor advisories and patch information. Affected products include: Advantech Advantech Studio, Indusoft Thin Client, Indusoft Web Studio.