Multiple vulnerabilities in Delta Electronics Delta Industrial Automation Screen Editor
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 4 |
| CVE-ID | CVE-2017-16751 CVE-2017-16749 CVE-2017-16747 CVE-2017-16745 |
| CWE-ID | CWE-121 CWE-416 CWE-787 CWE-843 |
| Exploitation vector | Local |
| Public exploit | N/A |
| Vulnerable software Subscribe |
Delta Industrial Automation Screen Editor Client/Desktop applications / Other client software |
| Vendor | Delta Electronics, Inc. |
Security Bulletin
This security bulletin contains information about 4 vulnerabilities.
1) Stack-based buffer overflow
EUVDB-ID: #VU9885
Risk: Low
CVSSv3.1: 7.7 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-16751
CWE-ID:
CWE-121 - Stack-based buffer overflow
Exploit availability: No
DescriptionThe vulnerability allows a local attacker to execute arbitrary code on the target system.
The weakness exists due to stack-based buffer overflow when handling a malicious input. A local attacker can supply specially crafted .dbp files, trigger memory corruption and execute arbitrary code with elevated privileges.
Successful exploitation of the vulnerability may result in system compromise.
Update to the latest version.
Delta Industrial Automation Screen Editor: All versions
External linkshttp://ics-cert.us-cert.gov/advisories/ICSA-18-004-01
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Use-after-free error
EUVDB-ID: #VU9886
Risk: Low
CVSSv3.1: 7.7 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-16749
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a local attacker to execute arbitrary code on the target system.
The weakness exists due to use-after-free-error when handling a malicious input. A local attacker can supply specially crafted .dbp files, trigger memory corruption and execute arbitrary code with elevated privileges.
Successful exploitation of the vulnerability may result in system compromise.
Update to the latest version.
Delta Industrial Automation Screen Editor: All versions
External linkshttp://ics-cert.us-cert.gov/advisories/ICSA-18-004-01
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Out-of-bounds write
EUVDB-ID: #VU9887
Risk: Low
CVSSv3.1: 7.7 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-16747
CWE-ID:
CWE-787 - Out-of-bounds write
Exploit availability: No
DescriptionThe vulnerability allows a local attacker to execute arbitrary code on the target system.
The weakness exists due to out-of-bounds write when handling a malicious input. A local attacker can supply specially crafted .dbp files, trigger memory corruption and execute arbitrary code with elevated privileges.
Successful exploitation of the vulnerability may result in system compromise.
Update to the latest version.
Delta Industrial Automation Screen Editor: All versions
External linkshttp://ics-cert.us-cert.gov/advisories/ICSA-18-004-01
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Type confusion
EUVDB-ID: #VU9888
Risk: Low
CVSSv3.1: 7.7 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-16745
CWE-ID:
CWE-843 - Type confusion
Exploit availability: No
DescriptionThe vulnerability allows a local attacker to execute arbitrary code on the target system.
The weakness exists due to type confusion error when handling a malicious input. A local attacker can supply specially crafted .dbp files, trigger memory corruption and execute arbitrary code with elevated privileges.
Successful exploitation of the vulnerability may result in system compromise.
Update to the latest version.
Delta Industrial Automation Screen Editor: All versions
External linkshttp://ics-cert.us-cert.gov/advisories/ICSA-18-004-01
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
