Tuesday, March 17, 2020

1 Advisory Published – 3-17-20

Today the CISA NCCIC-ICS published one control system security advisory for products from Delta Electronics.

Delta Advisory

The advisory describes two vulnerabilities in the Delta Industrial Automation CNCSoft ScreenEditor. The vulnerability was reported by Natnael Samson (@NattiSamson) and kimiya, working with the Zero Day Initiative. Delta has a new version that mitigates the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

• Stack-based buffer overflow - CVE-2020-7002; and
• Out-of-bounds read - CVE-2020-6976

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerabilities to cause buffer overflow conditions that may allow information disclosure, remote code execution, or crash the application. According to the ZDI advisories (here, here and here) the vulnerabilities are remotely exploitable.


The two different ZDI advisories for the buffer overflow vulnerability show slightly different descriptions of the vulnerability. Both describe parsing problems in DBP files. The kimiya advisory appears to be slightly more generic where the Samson advisory specifies that the problem lies in parsing the GifName information in DPB files. There is a possibility that there are two separate vulnerabilities here. This is where it would be helpful to have the researchers verify the efficacy of the fix. We could have a situation here where the more specific vulnerability was fixed, but the more generic problem remains.

No comments:

/* Use this with templates/template-twocol.html */