Delta Electronics Fixes GUI

Thursday, January 4, 2018 @ 04:01 PM gHale


Delta Electronics, Inc. has updated software available to mitigate multiple vulnerabilities in its Delta Industrial Automation Screen Editor, according to a report with ICS-CERT.

The vulnerabilities, discovered by Steven Seeley of Source Incite, include a stack-based buffer overflow, use-after-free, out-of-bounds write and type confusion.

RELATED STORIES
Moxa Clears NPort Issue
Schneider Clears Pelco Vulnerabilities
ABB Mitigates Ellipse Hole
Fix is in for Siemens LOGO! Soft Comfort

A graphical user interface (GUI), Delta Industrial Automation Screen Editor, Version 2.00.23.00 or prior suffer from the issues.

Successful exploitation of these vulnerabilities may allow an attacker to remotely execute arbitrary code.

No known public exploits specifically target these vulnerabilities. These vulnerabilities are not remotely exploitable. However, an attacker with low skill level could leverage the vulnerabilities.

Stack-based buffer overflow vulnerabilities caused by processing specially crafted .dbp files may allow an attacker to remotely execute arbitrary code.

CVE-2017-16751 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 5.5.

In addition, specially crafted .dbp files could exploit a use-after-free vulnerability.

CVE-2017-16749 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 5.5.

Also, a specially crafted .dbp files may cause the system to write outside the intended buffer area.

CVE-2017-16747 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 5.5.

In addition, an access of resource using incompatible type (‘type confusion’) vulnerability may allow an attacker to execute remote code when processing specially crafted .dbp files.

CVE-2017-16745 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 5.5.

The product sees use mainly in the critical manufacturing sector. It also sees action on a global basis.

Taiwan-based Delta Electronics recommends affected users update to the latest version of DOPSoft Version 2, which is available for download.

Delta Industrial Automation Screen Editor Version 2.00.23.00 has been removed from Delta Electronics’ web site and replaced with DOPSoft, Version 2. Delta Electronics also recommends users restrict the interaction with the application to trusted files.



Leave a Reply

You must be logged in to post a comment.