#VU9886 Use-after-free error in Delta Industrial Automation Screen Editor
Vulnerability identifier: #VU9886
Vulnerability risk: Low
CVSSv3.1: 7.7 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-416
Exploitation vector: Local
Exploit availability: No
Vulnerable software:
Delta Industrial Automation Screen Editor
Client/Desktop applications /
Other client software
Vendor: Delta Electronics, Inc.
Description
The vulnerability allows a local attacker to execute arbitrary code on the target system.
The weakness exists due to use-after-free-error when handling a malicious input. A local attacker can supply specially crafted .dbp files, trigger memory corruption and execute arbitrary code with elevated privileges.
Successful exploitation of the vulnerability may result in system compromise.
Mitigation
Update to the latest version.
Vulnerable software versions
Delta Industrial Automation Screen Editor: All versions
External links
http://ics-cert.us-cert.gov/advisories/ICSA-18-004-01
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
