Delta Electronics has a new version of its Industrial Automation CNCSoft ScreenEditor available to handle stack-based buffer overflow and out-of-bounds read vulnerabilities, according to a report with CISA.
Successful exploitation of these vulnerabilities could cause buffer overflow conditions that may allow information disclosure, remote code execution, or crash the application. A user interface, CNCSoft ScreenEditor v1.00.96 and prior suffer from the vulnerabilities, discovered by Natnael Samson (@NattiSamson) and kimiya, working with Trend Micro’s Zero Day Initiative.
In one issue, multiple stack-based buffer overflows can end up exploited when a valid user opens a specially crafted, malicious input file.
CVE-2020-7002 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 7.8.
In addition, an out-of-bounds read overflow can end up exploited when a valid user opens a specially crafted, malicious input file due to the lack of validation.
CVE-2020-6976 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 3.3.
The product sees use mainly in the critical manufacturing sector. It also sees action on a global basis.
No known public exploits specifically target these vulnerabilities. These vulnerabilities are not exploitable remotely. However, an attacker with low skill level can leverage the vulnerabilities.
To mitigate the issue, Delta recommends the following:
- Update to the latest version of CNCSoft v1.01.24 (with ScreenEditor v1.00.98)
- Restrict the interaction with the application to trusted files