Delta Fixes Industrial Automation TPEditor

Thursday, October 11, 2018 @ 05:10 PM gHale

Delta Electronics has a new version available to mitigate out-of-bounds write and stack-based buffer overflow vulnerabilities in its Delta Industrial Automation TPEditor, according to a report with NCCIC.

Successful exploitation of these vulnerabilities, discovered by Ariele Caltabiano (kimiya) of 9SG Security Team and Mat Powell working with Trend Micro’s Zero Day Initiative (ZDI), could crash the accessed device, resulting in a buffer overflow condition that may allow remote code execution.

RELATED STORIES
Vulnerabilities in XMeye P2P Cloud Server
Fuji Electric Fixes Energy Savings Estimator
Siemens Clears ROX II Vulnerabilities
New Firmware Fixes SCALANCE W1750D

A programming software for Delta text panels operating on Windows, TPEditor Versions 1.90 and prior suffer from the vulnerabilities.

In one vulnerability, multiple stack-based buffer overflow vulnerabilities may be exploited by processing specially crafted project files lacking user input validation before copying data from project files onto the stack and may allow an attacker to remotely execute arbitrary code.

CVE-2018-17929 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 6.6.

In addition, multiple out-of-bounds write vulnerabilities may be exploited by processing specially crafted project files lacking user input validation, which may cause the system to write outside the intended buffer area and may allow remote code execution.

CVE-2018-17927 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 6.6.

No known public exploits specifically target these vulnerabilities. These vulnerabilities are not exploitable remotely. However, an attacker with low skill level could leverage the vulnerabilities.

The product sees use mainly in the critical manufacturing sector. It also sees action on a global basis.

Delta Electronics recommends affected users update to the latest version of Delta Industrial Automation TPEditor, Version 1.91, which is available for download.

Delta Electronics also recommends affected users restrict the interaction with the application to trusted files.



Leave a Reply

You must be logged in to post a comment.