Delta Electronics Fixes WPLSoft Holes

Tuesday, February 27, 2018 @ 04:02 PM gHale

Delta Electronics released new software to mitigate multiple vulnerabilities in its WPLSoft, according to a report with ICS-CERT.

The remotely exploitable vulnerabilities are a stack-based buffer overflow, heap-based buffer overflow and an out-of-bounds write.

RELATED STORIES
Siemens Updates SIMATIC Industrial PCs
Emerson’s Mitigation Plan for ControlWave
ICS Spectre, Meltdown Update Part III
ABB Fixes netCADOPS Web Application Hole

A PLC programming software, WPLSoft, Versions 2.45.0 and prior suffer from the issues, discovered by Axt working with Trend Micro’s Zero Day Initiative.

Successful exploitation of these vulnerabilities could allow remote code execution or cause the software the attacker is accessing to crash.

No known public exploits specifically target these vulnerabilities. However, an attacker with low skill level could leverage the vulnerability.

In one of the vulnerabilities, the application utilizes a fixed length stack buffer where a value larger than the buffer can be read from a file into the buffer, causing the buffer to be overwritten, which may allow remote code execution or cause the application to crash.

CVE-2018-7494 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 8.3.

In addition, the application utilizes a fixed length heap buffer where a value larger than the buffer can be read from a file into the buffer, causing the buffer to be overwritten, which may allow remote code execution or cause the application to crash.

CVE-2018-7507 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 8.3.

Also, the application writes data from a file outside the bounds of the intended buffer space, which could cause memory corruption or may allow remote code execution.

CVE-2018-7509 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 8.3.

The product sees use mainly in the commercial facilities, critical manufacturing and energy sectors. It also sees action in Asia, Europe, and the United States

Taiwan-based Delta Electronics recommends affected users update their software to the latest version of WPLSoft V2.46.0.

Additionally, Delta recommends users restrict the application’s interaction with trusted files.



Leave a Reply

You must be logged in to post a comment.