CVE-2014-5407 - Vulnerability Details - OpenCVE

ReportizFlow

Multiple stack-based buffer overflows in Schneider Electric VAMPSET 2.2.136 and earlier allow local users to cause a denial of service (application halt) via a malformed (1) setting file or (2) disturbance recording file.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Local

Access Complexity Medium

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:L/AC:M/Au:S/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Schneider-electric	Vampset

Configuration 1 [-]

cpe:2.3:a:schneider-electric:vampset:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
http://www.schneider-electric.com/products/ww/en/2300-ied-user-software/2320-vamp-user-software/62050-vamp-software/
https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2014/icsa-14-254-01.json
https://ics-cert.us-cert.gov/advisories/ICSA-14-254-01
https://www.cisa.gov/news-events/ics-advisories/icsa-14-254-01

History

Mon, 03 Nov 2025 19:00:00 +0000

Type	Values Removed	Values Added
Title		Schneider Electric VAMPSET Stack-based Buffer Overflow
Weaknesses		CWE-121
References		http://www.schneider-electric.com/products/ww/en/2300-ied-user-software/2320-vamp-user-software/62050-vamp-software/ https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2014/icsa-14-254-01.json https://www.cisa.gov/news-events/ics-advisories/icsa-14-254-01
Metrics	cvssV2_0 `{'score': 4.4, 'vector': 'AV:L/AC:M/Au:N/C:P/I:P/A:P'}`	cvssV2_0 `{'score': 4.1, 'vector': 'AV:L/AC:M/Au:S/C:P/I:P/A:P'}`

MITRE

Status: PUBLISHED

Assigner: icscert

Published: 2014-09-15T14:00:00

Updated: 2025-11-03T18:52:21.206Z

Reserved: 2014-08-22T00:00:00

Link: CVE-2014-5407

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2014-09-15T14:55:11.697

Modified: 2025-11-03T19:15:38.683

Link: CVE-2014-5407

Redhat

No data.

{"containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "VAMPSET", "vendor": "Schneider Electric", "versions": [{"lessThanOrEqual": "2.2.136", "status": "affected", "version": "0", "versionType": "custom"}, {"status": "unaffected", "version": "2.2.145"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Aivar Liimets of Martem AS"}], "datePublic": "2014-09-11T06:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Multiple stack-based buffer overflows in Schneider Electric VAMPSET 2.2.136 and earlier allow local users to cause a denial of service (application halt) via a malformed (1) setting file or (2) disturbance recording file.</p>"}], "value": "Multiple stack-based buffer overflows in Schneider Electric VAMPSET 2.2.136 and earlier allow local users to cause a denial of service (application halt) via a malformed (1) setting file or (2) disturbance recording file."}], "metrics": [{"cvssV2_0": {"accessComplexity": "MEDIUM", "accessVector": "LOCAL", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 4.1, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:L/AC:M/Au:S/C:P/I:P/A:P", "version": "2.0"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-121", "description": "CWE-121", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert", "dateUpdated": "2025-11-03T18:52:21.206Z"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-14-254-01"}, {"url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2014/icsa-14-254-01.json"}, {"url": "http://www.schneider-electric.com/products/ww/en/2300-ied-user-software/2320-vamp-user-software/62050-vamp-software/"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Schneider Electric released an update for distribution on August 21, \n2014. The VAMPSET setting tool, v.2.2.145 or newer, can be found here:</p>\n<p><a target=\"_blank\" rel=\"nofollow\" href=\"http://www.schneider-electric.com/products/ww/en/2300-ied-user-software/2320-vamp-user-software/62050-vamp-software/\">http://www.schneider-electric.com/products/ww/en/2300-ied-user-software/2320-vamp-user-software/62050-vamp-software/</a></p>Schneider Electric recommends that all customers and users install and use VAMPSET v.2.2.145 or newer.\n\n<br>"}], "value": "Schneider Electric released an update for distribution on August 21, \n2014. The VAMPSET setting tool, v.2.2.145 or newer, can be found here:\n\n\n http://www.schneider-electric.com/products/ww/en/2300-ied-user-software/2320-vamp-user-software/62050-vamp-software/ \n\nSchneider Electric recommends that all customers and users install and use VAMPSET v.2.2.145 or newer."}], "source": {"advisory": "ICSA-14-254-01", "discovery": "EXTERNAL"}, "title": "Schneider Electric VAMPSET Stack-based Buffer Overflow", "workarounds": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "To protect the computer and configuration files from unauthorized \nescalation of privileges through manipulation, Schneider Electric \nrecommends users employ best IT practices to secure their computers and \nrelay\u2019s configuration files and to use User Access Control (UAC) to \nfurther improve the security of the computer. Additionally, to minimize \nthe risk of attack, users who are not directly using this software on a \nregular basis are strongly encouraged to delete this application from \ntheir computer to reduce the likelihood of attack and to store relay \nconfiguration files in the client\u2019s protected location.\n\n<br>"}], "value": "To protect the computer and configuration files from unauthorized \nescalation of privileges through manipulation, Schneider Electric \nrecommends users employ best IT practices to secure their computers and \nrelay\u2019s configuration files and to use User Access Control (UAC) to \nfurther improve the security of the computer. Additionally, to minimize \nthe risk of attack, users who are not directly using this software on a \nregular basis are strongly encouraged to delete this application from \ntheir computer to reduce the likelihood of attack and to store relay \nconfiguration files in the client\u2019s protected location."}], "x_generator": {"engine": "Vulnogram 0.5.0"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "[email protected]", "ID": "CVE-2014-5407", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Multiple stack-based buffer overflows in Schneider Electric VAMPSET 2.2.136 and earlier allow local users to cause a denial of service (application halt) via a malformed (1) setting file or (2) disturbance recording file."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://ics-cert.us-cert.gov/advisories/ICSA-14-254-01", "refsource": "MISC", "url": "https://ics-cert.us-cert.gov/advisories/ICSA-14-254-01"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T11:41:49.181Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://ics-cert.us-cert.gov/advisories/ICSA-14-254-01"}]}]}, "cveMetadata": {"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "cveId": "CVE-2014-5407", "datePublished": "2014-09-15T14:00:00", "dateReserved": "2014-08-22T00:00:00", "dateUpdated": "2025-11-03T18:52:21.206Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:schneider-electric:vampset:*:*:*:*:*:*:*:*", "matchCriteriaId": "9B94A6E8-E88D-4165-850A-754573289558", "versionEndIncluding": "2.2.136", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Multiple stack-based buffer overflows in Schneider Electric VAMPSET 2.2.136 and earlier allow local users to cause a denial of service (application halt) via a malformed (1) setting file or (2) disturbance recording file."}, {"lang": "es", "value": "M\u00faltiples desbordamientos de buffer basado en pila en Schneider Electric VAMPSET 2.2.136 y anteriores permite a usuarios locales causar una denegaci\u00f3n de servicio (parada de aplicaci\u00f3n) a trav\u00e9s de un (1) fichero de configuraci\u00f3n o (2) fichero de grabaci\u00f3n de disturbio malformados."}], "id": "CVE-2014-5407", "lastModified": "2025-11-03T19:15:38.683", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "LOCAL", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 4.1, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:L/AC:M/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 2.7, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "[email protected]", "type": "Secondary", "userInteractionRequired": true}, {"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 4.4, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 3.4, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "[email protected]", "type": "Primary", "userInteractionRequired": true}]}, "published": "2014-09-15T14:55:11.697", "references": [{"source": "[email protected]", "url": "http://www.schneider-electric.com/products/ww/en/2300-ied-user-software/2320-vamp-user-software/62050-vamp-software/"}, {"source": "[email protected]", "url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2014/icsa-14-254-01.json"}, {"source": "[email protected]", "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-14-254-01"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://ics-cert.us-cert.gov/advisories/ICSA-14-254-01"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-121"}], "source": "[email protected]", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-119"}], "source": "[email protected]", "type": "Secondary"}]}