(I)IoT Security News
Critical vulnerabiliities, News, Recommendations, Vulnerabilities

Delta Electronics DOPSoft 2 (Update A)

1. EXECUTIVE SUMMARY

2. UPDATED INFORMATION

This updated advisory is a follow-up to the original advisory titled ICSA-21-252-02 Delta Electronics DOPSoft 2 that was published September 9, 2021, on the ICS webpage on cisa.gov/ICS.

3. RISK EVALUATION 

Successful exploitation of these vulnerabilities may allow arbitrary code execution.

4. TECHNICAL DETAILS

4.1 AFFECTED PRODUCTS

The following versions of DOPSoft 2 are affected:

4.2 VULNERABILITY OVERVIEW

4.2.1    STACK-BASED BUFFER OVERFLOW CWE-121

The affected application lacks proper validation of user-supplied data when parsing specific project files. This could lead to a stack-based buffer overflow while trying to copy to a buffer during font string handling. An attacker could leverage this vulnerability to execute code in the context of the current process.

CVE-2021-38402 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

4.2.2    OUT-OF-BOUNDS WRITE CWE-787

The affected application lacks proper validation of user-supplied data when parsing specific project files. This could result in multiple out-of-bounds write instances. An attacker could leverage this vulnerability to execute code in the context of the current process.

CVE-2021-38406 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

4.2.3    HEAP-BASED BUFFER OVERFLOW CWE-122

The affected application lacks proper validation of user-supplied data when parsing specific project files. This could result in a heap-based buffer overflow. An attacker could leverage this vulnerability to execute code in the context of the current process.

CVE-2021-38404 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

4.3 BACKGROUND

4.4 RESEARCHER

kimiya, working with Trend Micro’s Zero Day Initiative, reported these vulnerabilities to CISA.

5. MITIGATIONS

——— Begin Update A part 1 of 1 ———

DOPSoft 2 will not receive an update to mitigate these vulnerabilities because it is an end-of-life product. Delta Electronics recommends users switch HMI devices to the DOP-100 family and then switch the software to DIAScreen in DIAStudio v1.1.2 (or later) (login required).

——— End Update A part 1 of 1 ———

DOPSoft 2 will not receive an update to mitigate these vulnerabilities because it is an end-of-life product. Delta Electronics recommends users to switch to the replacement software when available.

CISA recommends users take the following measures to protect themselves from social engineering attacks:

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on us-cert.cisa.gov. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Source:
https://www.cisa.gov/uscert/ics/advisories/icsa-21-252-02

Related posts

Mitsubishi Electric Factory Automation Engineering Products

(I) IoT
4 years ago

Horner Automation Remote Compact Controller

IoT
2 years ago

Moxa NPort IAW5000A-I/O Series Serial Device Server

(I) IoT
3 years ago
Exit mobile version