Delta Electronics WPLSoft, ISPSoft, and PMSoft Vulnerabilities

Plan Patch8.8ICS-CERT ICSA-16-348-03Sep 16, 2016

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

Delta Electronics WPLSoft, ISPSoft, and PMSoft contain buffer overflow vulnerabilities (CWE-122, CWE-787) in memory handling. These software applications are used for programming and configuration of Delta industrial controllers and devices. The vulnerabilities allow arbitrary code execution when a user opens a malicious file.

What this means

What could happen

An attacker could achieve arbitrary code execution on an engineering workstation running these tools, allowing modification of controller configurations, ladder logic, or process parameters that could disrupt water/power operations when pushed to devices.

Who's at risk

Engineering teams at water authorities, municipal electric utilities, and other infrastructure operators who use Delta Electronics controller programming tools (WPLSoft for HMI/SCADA, ISPSoft for programmable relays, PMSoft for power monitoring devices). Risk is highest where engineers receive external project files or collaborate with third-party integrators.

How it could be exploited

An attacker sends a malicious file (project file, configuration file, or import file) to an engineer. When the engineer opens the file in WPLSoft, ISPSoft, or PMSoft, the buffer overflow is triggered and the attacker's code runs with the privileges of the engineering workstation. The attacker could then modify industrial device configurations or create malicious logic.

Prerequisites

User must open a malicious file in one of the affected applications
Engineer workstation must have WPLSoft, ISPSoft, or PMSoft installed
File delivery mechanism (email, USB, file share)

no patch availablelow complexity attack (requires user to open file)affects engineering workstations with access to production devicesbuffer overflow can lead to arbitrary code execution

Exploitability

Low exploit probability (EPSS 0.2%)

Affected products (3)

3 EOL

ProductAffected VersionsFix Status

WPLSoft: <V2.42.11<V2.42.11No fix (EOL)

ISPSoft: <3.02.11<3.02.11No fix (EOL)

PMSoft: <2.10.10<2.10.10No fix (EOL)

Remediation & Mitigation

0/4

Do now

0/2

HARDENINGRestrict file sharing and email attachments containing project files (.gwl, .gxp, .pxp, or similar) from untrusted sources to engineering workstations

HARDENINGTrain engineers to verify the source of project files and configuration files before opening them

Mitigations - no patch available

0/2

The following products have reached End of Life with no planned fix: WPLSoft: <V2.42.11, ISPSoft: <3.02.11, PMSoft: <2.10.10. Apply the following compensating controls:

HARDENINGIsolate engineering workstations running these tools on a separate network segment with limited access to production devices

HARDENINGImplement application whitelisting or control on engineering workstations to restrict execution of unexpected code

CVEs (2)

CVE-2016-5805 CVE-2016-5802

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/9a5644ba-a46c-4cab-beb6-be66984b3e5b