Your one-stop web resource providing safety and security information to manufacturers

Delta Electronics has a mitigation plan to handle heap-based buffer overflow and out-of-bounds read vulnerabilities in its CNCSoft ScreenEditor, according to a report with NCCIC.

Successful exploitation of these vulnerabilities, discovered by Natnael Samson (@NattiSamson) working with Trend Micro Zero Day Initiative (ZDI), could cause buffer overflow conditions that may allow information disclosure, remote code execution, or crash the application.

RELATED STORIES
Philips has Plan to Fix Holter 2010 Plus Hole
GE Mitigation Plan for Anesthesia Devices
Emerson Patches DeltaV DCS
Rockwell Fills Hole in PanelView 5510

CNCSoft ScreenEditor Versions 1.00.89 and prior suffer from the remotely exploitable vulnerabilities.

In one issue, multiple heap-based buffer overflow vulnerabilities may be exploited by processing specially crafted project files, allowing an attacker to remotely execute arbitrary code. There is a lack of user input validation before copying data from project files onto the heap.

Schneider Bold

CVE-2019-10982 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 7.8.

In addition, multiple out-of-bounds read vulnerabilities may cause information disclosure due to lacking user input validation for processing project files.

CVE-2019-10992 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 3.3.

The product sees use mainly in the critical manufacturing sector. It also sees acton on a global basis.

No known public exploits specifically target these vulnerabilities. However, an attacker with low skill level could leverage the vulnerabilities.

Taiwan-based Delta Electronics recommends the following mitigation plan:
• Update to the latest version of ScreenEditor, Version 1.00.94
• Delta Electronics also recommends users restrict the interaction of the application to trusted files

Pin It on Pinterest

Share This