#VU20350 Out-of-bounds read in Delta Industrial Automation DOPSoft - CVE-2019-13513

Cybersecurity Help s.r.o.

Published: 2019-08-21

Vulnerability identifier: #VU20350

Vulnerability risk: Low

CVSSv4.0: 5.7 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2019-13513

CWE-ID: CWE-125

Exploitation vector: Local

Exploit availability: No

Vulnerable software:
Delta Industrial Automation DOPSoft
Client/Desktop applications / Other client software

Vendor: Delta Electronics, Inc.

Description

The vulnerability allows a local attacker to gain access to potentially sensitive information.

The vulnerability exists due to a boundary condition when processing a specially crafted project file. A local attacker can create a specially crafted project file, trigger out-of-bounds read error and read contents of memory on the system and cause it to crash.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Delta Industrial Automation DOPSoft: 4.00.06.15

External links
https://www.us-cert.gov/ics/advisories/icsa-19-225-01
https://www.zerodayinitiative.com/advisories/ZDI-19-718/

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

OpenSUSE Linux update for git

Gentoo update for Git

OpenSUSE Linux update for git

Amazon Linux AMI update for git

Multiple vulnerabilities in Delta Industrial Automation DOPSoft