Delta Electronics Delta Industrial Automation TPEditor (Update A)

Plan Patch7.3ICS-CERT ICSA-18-137-04May 17, 2018

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Delta Industrial Automation TPEditor versions 1.89 and earlier contain a buffer overflow vulnerability (CWE-122) that could allow remote code execution. The vulnerability can be triggered by processing a malicious file, potentially crashing the application or allowing an attacker to execute arbitrary code with the privileges of the TPEditor process.

What this means

What could happen

An attacker who tricks an operator into opening a malicious file could crash TPEditor or execute code on the engineering workstation, potentially compromising the ability to monitor or reprogram industrial controllers and enabling downstream attacks on connected control systems.

Who's at risk

Manufacturing facilities using Delta Industrial Automation TPEditor for PLC programming and configuration are affected. This includes any engineering or automation technician who uses this software to develop, test, or modify control logic for Delta industrial controllers. Small to mid-size manufacturers with in-house automation teams are particularly at risk if they lack formal security awareness training.

How it could be exploited

An attacker crafts a malicious file (likely a project or configuration file format that TPEditor reads) and sends it to an operator via email or other means. When the operator opens the file in TPEditor, the buffer overflow is triggered, either crashing the application or allowing code execution on that workstation. From there, the attacker could access the engineering network and connected PLCs or other industrial devices.

Prerequisites

Operator must open a malicious file in TPEditor (social engineering required)
TPEditor version 1.89 or earlier must be installed
File format must be one that TPEditor processes (exact formats not specified in advisory)

remotely exploitable via malicious filelow complexity attack (just send a file)affects engineering workstations that control critical systemssocial engineering required but practical

Exploitability

Moderate exploit probability (EPSS 5.7%)

Affected products (1)

ProductAffected VersionsFix Status

Delta Industrial Automation TPEditor:≤ 1.891.90

Remediation & Mitigation

0/5

Do now

0/1

WORKAROUNDUntil patched, restrict TPEditor access to trusted files only; do not open files from untrusted sources or email attachments

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Delta Industrial Automation TPEditor to version 1.90 or later

Long-term hardening

0/3

HARDENINGImplement network segmentation to isolate engineering workstations (where TPEditor runs) from the business network

HARDENINGEnsure engineering workstations are not directly accessible from the Internet or untrusted networks

HARDENINGProvide security awareness training to operators on not opening unsolicited email attachments or files from unknown sources

CVEs (1)

CVE-2018-8871

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/853602ea-a34a-4f46-9687-338b655f3e66