National Vulnerability Database

National Vulnerability Database

National Vulnerability
Database

CVE-2017-5170 Detail

Current Description

An Uncontrolled Search Path Element issue was discovered in Moxa SoftNVR-IA Live Viewer, Version 3.30.3122 and prior versions. An uncontrolled search path element (DLL Hijacking) vulnerability has been identified. To exploit this vulnerability, an attacker could rename a malicious DLL to meet the criteria of the application, and the application would not verify that the DLL is correct. The attacker needs to have administrative access to the default install location in order to plant the insecure DLL. Once loaded by the application, the DLL could run malicious code at the privilege level of the application.

Source:  MITRE
View Analysis Description

Severity



CVSS 3.x Severity and Metrics:

NIST CVSS score
NIST: NVD
Base Score: 7.2 HIGH
Vector:  CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to nvd@nist.gov.

Hyperlink Resource
http://www.securityfocus.com/bid/100208 Third Party Advisory VDB Entry
https://ics-cert.us-cert.gov/advisories/ICSA-17-220-02 Mitigation Third Party Advisory US Government Resource

Weakness Enumeration

CWE-ID CWE Name Source
CWE-427 Uncontrolled Search Path Element NIST   ICS-CERT  

Known Affected Software Configurations Switch to CPE 2.2

Configuration 1 ( hide )
 cpe:2.3:a:moxa:softnvr-ia_live_view:*:*:*:*:*:*:*:*
     Show Matching CPE(s)
Up to (including)
3.3


Change History

3 change records found - show changes

Quick Info

CVE Dictionary Entry:
CVE-2017-5170
NVD Published Date:
01/18/2018
NVD Last Modified:
10/09/2019