Your one-stop web resource providing safety and security information to manufacturers

Delta Electronics (Delta) has a new version out to mitigate stack-based buffer overflow, heap-based buffer overflow, and an out-of-bounds read vulnerabilities in its Delta Industrial Automation CNCSoft, according to a report with NCCIC.

Successful exploitation of these vulnerabilities, discovered by Natnael Samson (@NattiSamson) and an anonymous researcher working with Trend Micro’s Zero Day Initiative (ZDI), could cause buffer overflow conditions that may allow information disclosure, remote code execution, or crash the application.

RELATED STORIES
WAGO Advisory on Hard-Coded Credentials Hole
PLC Cycle Time Vulnerability with Multi Vendors
Siemens’ Updates SIMOCODE pro V EIP
Siemens Fixes Spectrum Power 4.7 Hole

CNCSoft ScreenEditor Version 1.00.88 and prior suffer from the issues.

In one issue, multiple stack-based buffer overflow vulnerabilities may be exploited by processing specially crafted project files, allowing an attacker to remotely execute arbitrary code. This may occur because CNCSoft lacks user input validation before copying data from project files onto the stack.

Cyber Security

CVE-2019-10947 is the case number assigned to these vulnerabilities, which have a CVSS v3 base score of 7.8.

In addition, multiple heap-based buffer overflow vulnerabilities may be exploited by processing specially crafted project files, allowing an attacker to remotely execute arbitrary code. There is a lack of user input validation before copying data from project files onto the heap.

CVE-2019-10951 is the case number assigned to these vulnerabilities, which have a CVSS v3 base score of 7.8.

Also, multiple out-of-bounds read vulnerabilities may be exploited, allowing information disclosure due to a lack of user input validation for processing specially crafted project files.

CVE-2019-10949 is the case number assigned to these vulnerabilities, which have a CVSS v3 base score of 3.3.

The product sees use mainly in the critical manufacturing sector. It also sees action on a global basis.

No known public exploits specifically target these vulnerabilities. These vulnerabilities are not exploitable remotely. However, an attacker with low skill level could leverage the vulnerabilities.

Taiwan-based Delta recommends the following:
• Update to the latest version of ScreenEditor 1.00.89.
• Restrict the interaction with the application to trusted files.

Pin It on Pinterest

Share This