Delta Electronics is working on a new version to mitigate a heap-based buffer overflow in its Delta Industrial Automation TPEditor, according to a report with NCCIC.
Successful exploitation of this vulnerability could crash the accessed device, resulting in a buffer overflow condition that may allow remote code execution.
A programming software for Delta text panels operating on Windows, TPEditor, Version 1.89 or prior suffer from the remotely exploitable vulnerability, discovered by security researcher known as “ThePotato” working with Trend Micro’s Zero Day Initiative (ZDI).
In the vulnerability, parsing a malformed program file may cause heap-based buffer overflow vulnerability, which may allow remote code execution.
CVE-2018-8871 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 7.3.
The product sees use mainly in the commercial facilities, communications, critical manufacturing, energy, and healthcare and public health sectors. It also sees action on a global basis.
No known public exploits specifically target this vulnerability. However, an attacker with low skill level could leverage the vulnerability.
Until Taiwan-based Delta Electronics releases a new version of TPEditor, the company suggests that affected users should restrict the interaction with the application to trusted files.