Delta Electronics Fixes 2 Holes

Tuesday, August 7, 2018 @ 05:08 PM gHale

Delta Electronics has a new version to mitigate stack-based buffer overflow and out-of-bounds read vulnerabilities in its CNCSoft and ScreenEditor, according to a report with NCCIC.

The following products suffer from the remotely exploitable vulnerabilities, discovered by Mat Powell working with Trend Micro’s Zero Day Initiative : CNCSoft Version 1.00.83 and prior, and the accompanying and ScreenEditor Version 1.00.54.

RELATED STORIES
Medtronic Not Updating Insulin Pump Holes
Medtronic Fixing Patient Monitor
AVEVA Updates Wonderware License Server
AVEVA Clears InTouch Access Anywhere Hole

In one vulnerability, multiple stack-based buffer overflow vulnerabilities cause the software to crash due to lacking user input validation before copying data from project files onto the stack.   

CVE-2018-10636 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 8.8.

In addition, two out-of-bounds read vulnerabilities cause the software to crash due to lacking user input validation for processing project files.

CVE-2018-10598 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 4.3.

The product sees use mainly in the critical manufacturing sector. It also sees action on a global basis.

No known public exploits specifically target these vulnerabilities. However, an attacker with low skill level could leverage the vulnerabilities.

Taiwan-based Delta Electronics recommends the following:
• Update to the latest version of CNCSoft, v1.01.09
• Restrict the interaction with the application to trusted files



Leave a Reply

You must be logged in to post a comment.