Delta Electronics has a new version that mitigates a stack-based buffer overflow in its ISPSoft, according to a report with NCCIC.
Successful exploitation of this vulnerability, discovered by Ariele Caltabiano (kimiya) working with Trend Micro’s Zero Day Initiative, could allow an attacker to execute code under the context of the application.
A PLC program development tool, ISPSoft Version 3.0.5 and prior suffer from the remotely exploitable vulnerability.
By opening a crafted file, an attack can cause the application to read past the boundary allocated to a stack object, which could allow execution of code under the context of the application.
CVE-2018-14800 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 5.3.
The product sees use mainly in the critical manufacturing sector. It also sees action on a global basis.
No known public exploits specifically target this vulnerability. However, an attacker with low skill level could leverage the vulnerability.
Taiwan-based Delta Electronics recommends affected users update to ISPSoft v3.0.6 or newer. Click here to download the update.