Delta Electronics has new software to mitigate a stack-based buffer overflow in its Delta Industrial Automation DOPSoft, according to a report with ICS-CERT.
A human machine interface (HMI), Delta Industrial Automation DOPSoft, Version 4.00.01 or prior suffer from the remotely exploitable vulnerability, discovered by Ghirmay Desta working with Trend Micro’s Zero Day Initiative (ZDI).
Successful exploitation of this vulnerability could cause the device the attacker is accessing to crash; a buffer overflow condition may allow remote code execution.
No known public exploits specifically target this vulnerability. However, an attacker with low skill level could leverage the vulnerability.
Stack-based buffer overflow vulnerabilities caused by processing specially crafted .dop or .dpb files may allow an attacker to remotely execute arbitrary code.
CVE-2018-5476 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 6.3.
The product sees use mainly in the commercial facilities, communications, critical manufacturing, energy, and healthcare and public health sectors. It also sees action on a global basis.
Taiwan-based Delta Electronics recommends affected users update to the latest version of DOPSoft Version 4.00.04.
Delta Electronics also recommends users restrict the interaction with the application to trusted files.