SB2018060106 - Multiple vulnerabilities in Delta Industrial Automation DOPSoft
Published: June 1, 2018
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 3 secuirty vulnerabilities.
1) Out-of-bounds read (CVE-ID: CVE-2018-10623)
The vulnerability allows a remote attacker to bypass security restrictions on the target system.
The vulnerability exists due to the application performs read operations on a memory buffer where the position can be determined by a value read from a .dpa file. A remote unauthenticated attacker can bypass security restriction and cause improper restriction of operations within the bounds of the memory buffer, alter the intended control flow, read sensitive information, or cause the application to crash.
2) Heap-based buffer overflow (CVE-ID: CVE-2018-10617)
The vulnerability allows a remote attacker to cause DoS condition or execute arbitrary code on the target system.
The vulnerability exists due to the application utilizes a fixed-length heap buffer where a value larger than the buffer can be read from a .dpa file into the buffer. A remote unauthenticated attacker can trigger heap-based buffer overflow and cause the service to crash or execute arbitrary code with elevated privileges.
3) Stack-based buffer overflow (CVE-ID: CVE-2018-10621)
The vulnerability allows a remote attacker to cause DoS condition or execute arbitrary code on the target system.
The vulnerability exists due to the application utilizes a fixed-length stack buffer where a value larger than the buffer can be read from a .dpa file into the buffer. A remote unauthenticated attacker can trigger stack-based buffer overflow and cause the service to crash or execute arbitrary code with elevated privileges.
Remediation
Install update from vendor's website.