CVE-2021-32198

EmTec ZOC through 8.02.4 allows remote servers to cause a denial of service (Windows GUI hang) by telling the ZOC window to change its title repeatedly at high speed, which results in many SetWindowTextA or SetWindowTextW calls. In other words, it does not implement a usleep or similar delay upon processing a title change.

CVSS v3 9.8 CRITICAL
CVSS v2.0 7.5 HIGH

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

7.5^/10

CVSS v2.0 : HIGH

Vector : AV:N/AC:L/Au:N/C:P/I:P/A:P

Exploitability : 10.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
http://www.emtec.com/downloads/zoc/zoc_changes.txt	Release Notes Vendor Advisory
https://pastebin.com/0xhrDvW0	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:emtec:zoc:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2021-06-06 12:15

Updated : 2021-09-21 16:39

NVD link : CVE-2021-32198

Mitre link : CVE-2021-32198

CVE.ORG link : CVE-2021-32198

JSON object : View

Products Affected

emtec

zoc

CWE

NVD-CWE-noinfo

{"id": "CVE-2021-32198", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 7.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2021-06-06T12:15:07.380", "references": [{"url": "http://www.emtec.com/downloads/zoc/zoc_changes.txt", "tags": ["Release Notes", "Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "https://pastebin.com/0xhrDvW0", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "EmTec ZOC through 8.02.4 allows remote servers to cause a denial of service (Windows GUI hang) by telling the ZOC window to change its title repeatedly at high speed, which results in many SetWindowTextA or SetWindowTextW calls. In other words, it does not implement a usleep or similar delay upon processing a title change."}, {"lang": "es", "value": "EmTec ZOC hasta la versi\u00f3n 8.02.4 permite que los servidores remotos provoquen una denegaci\u00f3n de servicio (se cuelga la GUI de Windows) al decirle a la ventana ZOC que cambie su t\u00edtulo repetidamente a alta velocidad, lo que da como resultado muchas llamadas SetWindowTextA o SetWindowTextW. En otras palabras, no implementa un retraso de usleep o similar al procesar un cambio de t\u00edtulo."}], "lastModified": "2021-09-21T16:39:27.700", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:emtec:zoc:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "753C4CA4-1E34-4889-848C-1FBBBE6920C1", "versionEndIncluding": "8.02.4"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}