Delta Electronics automation devices allow remote code execution; manufacturing industry under risk

Multiple members of the manufacturing industry have been concerned after a vulnerability asssessment firm published a report on the presence of at least two security flaws in Delta Industrial devices Automation CNCSoft ScreenEditor. According to the report, the exploitation of these security issues could lead to various risk scenarios for the affected industrial environments.

The vulnerabilities were reported by researchers Natnael Samson and Kimiya, in collaboration with The Zero Day Initiative (ZDI) vulnerability disclosure platform. The two security issues reported in the vulnerability assessment report are listed below.

Stack-based buffer overflow vulnerability CWE-121: According to specialists, this flaw can be exploited to generate multiple stack-based buffer overflows if the target user opens a specially crafted malicious input file. The vulnerability was tracked as CVE-2020-7002 and received a score of 7.8/10 on the Common Vulnerability Scoring System (CVSS) scale, so the risk of exploitation is considered high.

CWE-125 out-of-bounds read: An out-of-bounds read overflow could be exploited if a legitimate user opens a specially crafted input file accordingly to the absence of validation. The fault was tracked as CVE-2020-6976, and received a score of 3.3/10 on the CVSS scale, so the risk of exploitation is considered low.

Delta Electronics received the vulnerability assessment report and subsequently acknowledged the flaws. Soon after, the firm released version 1.01.24 of CNCSoft (which includes ScreenEditor v1.00.98); affected deployment administrators are advised to upgrade as soon as possible to prevent exploitation. As an additional mitigation measure, the International Institute of Cyber Security (IICS) recommends restricting application interactions only for trusted files.

It should be noted that exploiting both vulnerabilities would require local access, so remote attacks are ruled out. In addition, there are currently no known cases of exploitation in the wild or publicly available proof-of-concept/exploits. Administrators are encouraged to notify any sign of malicious activity to the manufacturer and cybersecurity firms and community.