Delta Fixes HMI Software

Thursday, May 31, 2018 @ 05:05 PM gHale

Delta Electronics released a new version of its Delta Industrial Automation DOPSoft to mitigate multiple vulnerabilities, according to a report with NCCIC.

The vulnerabilities are an out-of-bounds read, heap-based buffer overflow, and a stack-based buffer overflow.

RELATED STORIES
Yokogawa Upgrade for STARDOM Controller Hole
BeaconMedaes has Update for TotalAlert
Schneider Fixes Floating License Manager
BD Kiestra, InoquIA Systems Fixes in Works

Successful exploitation of these vulnerabilities could allow a remote attacker to read sensitive information, execute arbitrary code, and/or crash the application.

A Human Machine Interface (HMI) editing software, DOPSoft Version 4.00.04 and prior suffer from the remotely exploitable vulnerabilities, discovered by B0nd @garagehackers working with Trend Micro’s Zero Day Initiative.

In one vulnerability, the application performs read operations on a memory buffer where the position can be determined by a value read from a .dpa file. This may cause improper restriction of operations within the bounds of the memory buffer, allow remote code execution, alter the intended control flow, allow reading of sensitive information, or cause the application to crash.

CVE-2018-10623 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 7.3.

In addition, the application utilizes a fixed-length heap buffer where a value larger than the buffer can be read from a .dpa file into the buffer, causing the buffer to be overwritten. This may allow remote code execution or cause the application to crash.

CVE-2018-10617 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 7.3.

Also, the application utilizes a fixed-length stack buffer where a value larger than the buffer can be read from a .dpa file into the buffer, causing the buffer to be overwritten. This may allow remote code execution or cause the application to crash.

CVE-2018-10621 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 7.3.

The product sees use mainly in the critical manufacturing sector. It also sees action on a global basis.

No known public exploits specifically target these vulnerabilities. However, an attacker with low skill level could leverage the vulnerabilities.

Delta Electronics recommends affected users update to the latest version.

Delta Electronics also recommends affected users restrict the interaction with the application to trusted files.



Leave a Reply

You must be logged in to post a comment.