SCADA Vulnerabilities & Exposures (SVE)

CRITIFENCE® SCADA Vulnerabilities and Exposures Database (SVE)

[SVE-565515063] Delta Electronics WPLSoft

Date Type Platform Author EDB-ID CVE-ID OSVDB-ID Download App SIS Signature
2018-02-27OtherDelta ElectronicsAxt working with Trend Micro's Zero Day Initiative reported these vulnerabilities to NCCIC.N/ACVE-2018-7494 CVE-2018-7507 CVE-2018-7509 N/AN/AN/A

Source

						
							
								
#
# Delta Electronics WPLSoft
#


### VULNERABLE VENDOR
Delta Electronics


### VULNERABLE PRODUCT
WPLSoft 


### RESEARCHER
Axt working with Trend Micro’s Zero Day Initiative reported these vulnerabilities to NCCIC.


### AFFECTED PRODUCTS
The following versions of WPLSoft, a PLC programming software, are affected:

WPLSoft, Versions 2.45.0 and prior


### IMPACT
Successful exploitation of these vulnerabilities could allow remote code execution or cause the software the attacker is accessing to crash.


### VULNERABILITY OVERVIEW
STACK-BASED BUFFER OVERFLOW CWE-121
The application utilizes a fixed length stack buffer where a value larger than the buffer can be read from a file into the buffer, causing the buffer to be overwritten, which may allow remote code execution or cause the application to crash.
CVE-2018-7494 has been assigned to this vulnerability.
A CVSS v3 base score of 8.3 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:H)


HEAP-BASED BUFFER OVERFLOW CWE-122
The application utilizes a fixed length heap buffer where a value larger than the buffer can be read from a file into the buffer, causing the buffer to be overwritten, which may allow remote code execution or cause the application to crash.
CVE-2018-7507 has been assigned to this vulnerability.
A CVSS v3 base score of 8.3 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:H)


OUT-OF-BOUNDS WRITE CWE-787
The application writes data from a file outside the bounds of the intended buffer space, which could cause memory corruption or may allow remote code execution.
CVE-2018-7509 has been assigned to this vulnerability.
A CVSS v3 base score of 8.3 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:H)





### BACKGROUND
Critical Infrastructure Sectors: Commercial Facilities, Critical Manufacturing, Energy
Countries/Areas Deployed: Asia, Europe, United States
Company Headquarters Location: Taiwan




### MITIGATION

Delta Electronics recommends affected users update their software to the latest version of WPLSoft V2.46.0 that is available at the following location:

http://www.deltaww.com/Products/PluginWebUserControl/downloadCenterCounter.aspx?DID=5043&DocPath=1&hl=en-US


Additionally, Delta recommends users restrict the application’s interaction with trusted files.