Delta Electronics (Delta) has recommendations, including a new version, to fix an out-of-bounds read in its Delta Industrial Automation CNCSoft, according to a report with NCCIC.
Successful exploitation of this vulnerability, discovered by Natnael Samson (@NattiSamson) working with Trend Micro’s Zero Day Initiative (ZDI), could cause a buffer overflow condition that may allow information disclosure or crash the application.
CNCSoft ScreenEditor Version 1.00.84 and prior suffer from the issue.
In the vulnerability, an out-of-bounds read issue may cause the software to crash due to lacking user input validation for processing project files.
CVE-2019-6547 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 4.4.
The product sees use mainly in the critical manufacturing sector. It also sees action on a global basis.
No known public exploits specifically target this vulnerability. This vulnerability is not exploitable remotely. However, an attacker with low skill level could leverage the vulnerability.
Taiwan-based Delta recommends the following:
• Update to the latest version of CNCSoft v1.01.15
• Restrict the interaction with the application to trusted files