Your one-stop web resource providing safety and security information to manufacturers

Delta Electronics has mitigations available to handle out-of-bounds read and use after free vulnerabilities in its Industrial Automation DOPSoft, according to a report with CISA.

Successful exploitation of these remotely exploitable vulnerabilities may allow information disclosure, remote code execution, or crash of the application. kimiya of 9SG Security Team, working with Trend Micro’s Zero Day (ZDI) Initiative, reported these vulnerabilities.

A Human Machine Interface (HMI) editing software product, DOPSoft Version 4.00.06.15 and prior suffer from the issues

In one issue, processing a specially crafted project file may trigger multiple out-of-bounds read vulnerabilities, which may allow information disclosure, remote code execution, or crash of the application.

Schneider Bold

CVE-2019-13513 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 7.8.

In the other issue, processing a specially crafted project file may trigger a use-after-free vulnerability, which may allow information disclosure, remote code execution, or crash of the application.

CVE-2019-13514 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 7.8.

The product sees use mainly in the critical manufacturing sector. It also sees action on a global basis.

No known public exploits specifically target these vulnerabilities. However, an attacker with low skill level could leverage the vulnerabilities.

Taiwan-based Delta Electronics recommends users apply the following mitigations:

• Update to the latest version of DOPSoft, Version 4.00.06.47
• Restrict interaction with the application to trusted files.

Pin It on Pinterest

Share This