Delta Electronics CNCSoft-B

Plan Patch7.8ICS-CERT ICSA-21-007-04Jan 7, 2021

Attack VectorLocal

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

Delta Electronics CNCSoft-B versions 1.0.0.2 and earlier contain multiple memory corruption vulnerabilities (CWE-787 buffer overflow, CWE-125 out-of-bounds read, CWE-822 unreliable pointer dereference, CWE-843 type confusion). These vulnerabilities could lead to arbitrary code execution on the affected system. The vulnerabilities are not remotely exploitable.

What this means

What could happen

An attacker with local access to a machine running CNCSoft-B could execute arbitrary code, potentially allowing modification of CNC machine control logic, tool paths, or process parameters that affect manufacturing operations.

Who's at risk

Manufacturing facilities and machine shops using Delta Electronics CNCSoft-B for CNC machine control engineering and programming. This affects engineering workstations that use CNCSoft-B to create or modify machine control programs.

How it could be exploited

An attacker would need to trick a user into opening a malicious file or executing a crafted input on a system running vulnerable CNCSoft-B. The attack requires local execution and user interaction (file opening). Once code execution is achieved on the engineering workstation, the attacker could alter machine configurations or control logic before those changes are deployed to the CNC machine.

Prerequisites

Local access to the workstation running CNCSoft-B
User interaction required to open a malicious file or trigger the vulnerability
CNCSoft-B version 1.0.0.2 or earlier running on the system

Low complexity exploitationRequires user interaction (file opening)Affects engineering workstations, not the CNC machines directlyMemory corruption vulnerabilities common in legacy code

Exploitability

Low exploit probability (EPSS 0.5%)

Affected products (1)

ProductAffected VersionsFix Status

CNCSoft-B:≤ 1.0.0.21.0.0.3

Remediation & Mitigation

0/4

Do now

0/2

HARDENINGRestrict file permissions on CNCSoft-B workstations to limit who can run the application and open project files

HARDENINGEducate engineering staff not to open CNCSoft-B project files from untrusted sources

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate CNCSoft-B to version 1.0.0.3 or later on all workstations

Long-term hardening

0/1

HARDENINGIsolate engineering workstations running CNCSoft-B from the business network and internet

CVEs (4)

CVE-2020-27287 CVE-2020-27291 CVE-2020-27289 CVE-2020-27293

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/1b1e1e83-7daa-40ac-b7a9-d6a2bc121220