Delta Electronics released a new version to mitigate a heap-based buffer overflow in its Delta Industrial Automation TPEditor, according to a report with NCCIC.
Successful exploitation of this vulnerability could crash the accessed device, resulting in a buffer overflow condition that may allow remote code execution. Delta updated its software after the initial NCCIC release in mid May.
A programming software for Delta text panels operating on Windows, TPEditor, Version 1.89 or prior suffer from the remotely exploitable vulnerability, discovered by security researcher known as “ThePotato” working with Trend Micro’s Zero Day Initiative (ZDI).
In the vulnerability, parsing a malformed program file may cause heap-based buffer overflow vulnerability, which may allow remote code execution.
CVE-2018-8871 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 7.3.
The product sees use mainly in the commercial facilities, communications, critical manufacturing, energy, and healthcare and public health sectors. It also sees action on a global basis.
No known public exploits specifically target this vulnerability. However, an attacker with low skill level could leverage the vulnerability.
Delta Electronics recommends affected users update to the latest version of Delta Industrial Automation TPEditor, Version 1.90.
Until users update to the new version of TPEditor, the company suggests affected users should restrict the interaction with the application to trusted files.