// For flags

CVE-2014-5424

Rockwell Automation Connected Components Workbench RA.ViewElements.Row.1 Arbitrary Write Remote Code Execution Vulnerability

Severity Score

7.5
*CVSS v2

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

Rockwell Automation Connected Components Workbench (CCW) before 7.00.00 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via an invalid property value to an ActiveX control that was built with an outdated compiler.

Rockwell Automation Connected Components Workbench (CCW) anterior a 7.00.00 permite a atacantes remotos causar una denegación de servicio (caída de la aplicación) o la posibilidad de ejecutar código arbitrario a través de una propiedad inválida en el control del ActiveX que fue compilado con un compilador obsoleto.

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Rockwell Automation Connected Components Workbench. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
The specific flaw exists within the RA.ViewElements.Row.1 ActiveXControl method. By providing a malicious value to the BackColor property, an attacker can write an uncontrolled four byte value to an arbitrary location. An attacker could use this to execute arbitrary code in the context of the browser.

*Credits: Andrea Micalizzi (rgod)
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Authentication
None
Confidentiality
Partial
Integrity
Partial
Availability
Partial
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2014-08-22 CVE Reserved
  • 2014-11-14 CVE Published
  • 2023-12-08 EPSS Updated
  • 2024-08-06 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-264: Permissions, Privileges, and Access Controls
CAPEC
References (1)
URL Tag Source
https://ics-cert.us-cert.gov/advisories/ICSA-14-294-01 Third Party Advisory
URL Date SRC
URL Date SRC
URL Date SRC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Rockwellautomation
Search vendor "Rockwellautomation"
 Connected Components Workbench
Search vendor "Rockwellautomation" for product "Connected Components Workbench"
 <= 6.01.00
Search vendor "Rockwellautomation" for product "Connected Components Workbench" and version " <= 6.01.00"
-
Affected