Delta Electronics has a new version to mitigate stack-based buffer overflow and out-of-bounds read vulnerabilities in its CNCSoft and ScreenEditor, according to a report with NCCIC.
The following products suffer from the remotely exploitable vulnerabilities, discovered by Mat Powell working with Trend Micro’s Zero Day Initiative : CNCSoft Version 1.00.83 and prior, and the accompanying and ScreenEditor Version 1.00.54.
In one vulnerability, multiple stack-based buffer overflow vulnerabilities cause the software to crash due to lacking user input validation before copying data from project files onto the stack.
CVE-2018-10636 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 8.8.
In addition, two out-of-bounds read vulnerabilities cause the software to crash due to lacking user input validation for processing project files.
CVE-2018-10598 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 4.3.
The product sees use mainly in the critical manufacturing sector. It also sees action on a global basis.
No known public exploits specifically target these vulnerabilities. However, an attacker with low skill level could leverage the vulnerabilities.
Taiwan-based Delta Electronics recommends the following:
• Update to the latest version of CNCSoft, v1.01.09
• Restrict the interaction with the application to trusted files