Executive Summary - CVSS v3 Score: 4.4 - Exploitability: Low-skill-level attacks can exploit this vulnerability - Vendor: Delta Electronics (Delta) - Product: Delta Industrial Automation CNCSoft - Vulnerability: Out-of-bounds Read Risk Assessment - Successful exploitation of this vulnerability could lead to buffer overflow, resulting in information disclosure or application crash. Technical Details - Affected Products - The following versions of Delta Industrial Automation CNCSoft are affected: CNCSoft ScreenEditor Version 1.00.84 and earlier. - Vulnerability Overview - Out-of-bounds Read CWE-125 - Due to lack of user input validation when processing project files, this vulnerability may cause an out-of-bounds read, potentially leading to software crashes. - The CVE identifier for this vulnerability is CVE-2019-6547, with a CVSS v3 score of 4.4 and vector (AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L). - Background - Critical Infrastructure Sector: Critical Manufacturing - Deployment Countries/Regions: Global - Company Headquarters Location: Taiwan Researchers - Natnael Samson (@NattiSamson), in collaboration with Trend Micro’s Zero Day Initiative (ZDI), reported this vulnerability to NCCIC. Mitigations - Delta recommends: - Upgrade to the latest version, CNCSoft v1.01.15. The latest version is available at this link. - Restrict interaction with the application to trusted files only. - NCCIC advises users to implement defensive measures to minimize the risk of exploitation: - Minimize network exposure of all control system devices and/or systems, and ensure they are not accessible from the internet. Place control system networks and remote devices behind firewalls and isolate them from business networks. When remote access is required, use secure methods such as Virtual Private Networks (VPNs), and recognize that VPNs may have vulnerabilities and should be updated to the latest versions. Note that VPN security is only as strong as the security of the connected devices. - NCCIC reminds organizations to conduct appropriate impact analysis and risk assessment before deploying defensive measures. - NCCIC also provides security recommendations for control systems on the ICS-CERT website. Several recommended articles are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. - Additional vulnerability mitigation guidance and recommended practices can be found in technical information documents, such as ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies. Reporting Malicious Activity - Organizations observing any suspected malicious activity should follow their established internal procedures and report findings to NCCIC for tracking and correlation with other incidents. Defending Against Social Engineering Attacks - NCCIC also recommends users take the following steps to protect themselves from social engineering attacks: - Do not click on web links in emails or open unsolicited attachments. - Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams. - Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks. - There are no known public exploits for this vulnerability. This vulnerability cannot be exploited remotely.