Delta Electronics has an update available to handle a stack-based buffer overflow, out-of-bounds write, out-of-bounds read, heap-based buffer overflow vulnerabilities in its CNCSoft-G2, according to a report with CISA.

Successful exploitation of these vulnerabilities, discovered by Bobby Gould and Fritz Sands of Trend Micro Zero Day Initiative, could cause a buffer overflow condition and allow remote code execution.

The following versions of Delta Electronics CNCSoft-G2, a Human-Machine Interface (HMI) software, suffer from the vulnerabilities: Version 2.0.0.5.

In one issue, Delta Electronics CNCSoft-G2 lacks proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. If a target visits a malicious page or opens a malicious file an attacker can leverage this vulnerability to execute code in the context of the current process.

CVE-2024-39880 is the case number for this vulnerability, which has a CVSS v3.1 base score of 7.8. There is also a CVSS v4 base score of 8.4.

Schneider Bold

In addition, Delta Electronics CNCSoft-G2 lacks proper validation of user-supplied data, which can result in a memory corruption condition. If a target visits a malicious page or opens a malicious file an attacker can leverage this vulnerability to execute code in the context of the current process.

CVE-2024-39881 is the case number for this vulnerability, which has a CVSS v3.1 base score of 7.8. There is also a CVSS v4 base score of 8.4.

Also, Delta Electronics CNCSoft-G2 lacks proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. If a target visits a malicious page or opens a malicious file an attacker can leverage this vulnerability to execute code in the context of the current process.

CVE-2024-39882 is the case number foer this vulnerability, which has a CVSS v3.1 base score of 7.8. There is also a CVSS v4 base score of 8.4.

Meanwhile, Delta Electronics CNCSoft-G2 lacks proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. If a target visits a malicious page or opens a malicious file an attacker can leverage this vulnerability to execute code in the context of the current process.

CVE-2024-39883 is the case number for this vulnerability, which has a CVSS v3.1 base score of 7.8. There is also a CVSS v4 base score of 8.4.

The product sees use in the energy and critical manufacturing sectors, and on a global basis.

No known public exploit targets these vulnerabilities. These vulnerabilities are not exploitable remotely. However, an attacker could leverage these low complexity vulnerabilities.

Delta Electronics recommends users update to CNCSoft-G2 V2.1.0.10 or later.

ISSSource

Pin It on Pinterest

Share This