SB2018010417 - Multiple vulnerabilities in Delta Electronics Delta Industrial Automation Screen Editor
Published: January 4, 2018 Updated: January 9, 2018
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 4 vulnerabilities.
1) Stack-based buffer overflow (CVE-ID: CVE-2017-16751)
CWE-ID: CWE-121 - Stack-based buffer overflow
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local attacker to execute arbitrary code on the target system.
The weakness exists due to stack-based buffer overflow when handling a malicious input. A local attacker can supply specially crafted .dbp files, trigger memory corruption and execute arbitrary code with elevated privileges.
Successful exploitation of the vulnerability may result in system compromise.
2) Use-after-free error (CVE-ID: CVE-2017-16749)
CWE-ID: CWE-416 - Use After Free
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local attacker to execute arbitrary code on the target system.
The weakness exists due to use-after-free-error when handling a malicious input. A local attacker can supply specially crafted .dbp files, trigger memory corruption and execute arbitrary code with elevated privileges.
Successful exploitation of the vulnerability may result in system compromise.
3) Out-of-bounds write (CVE-ID: CVE-2017-16747)
CWE-ID: CWE-787 - Out-of-bounds write
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local attacker to execute arbitrary code on the target system.
The weakness exists due to out-of-bounds write when handling a malicious input. A local attacker can supply specially crafted .dbp files, trigger memory corruption and execute arbitrary code with elevated privileges.
Successful exploitation of the vulnerability may result in system compromise.
4) Type confusion (CVE-ID: CVE-2017-16745)
CWE-ID: CWE-843 - Type confusion
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local attacker to execute arbitrary code on the target system.
The weakness exists due to type confusion error when handling a malicious input. A local attacker can supply specially crafted .dbp files, trigger memory corruption and execute arbitrary code with elevated privileges.
Successful exploitation of the vulnerability may result in system compromise.
Remediation
Install update from vendor's website.