Delta Electronics DOPSoft 2 (Update A)

Act Now7.8ICS-CERT ICSA-21-252-02Sep 9, 2021

Attack VectorLocal

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

DOPSoft 2 is affected by buffer overflow vulnerabilities (CWE-121, CWE-787, CWE-122) in file parsing that allow arbitrary code execution when a user opens a malicious project file or attachment. The vulnerabilities affect DOPSoft 2 version 2.00.07 and earlier. DOPSoft 2 is end-of-life and will not receive vendor patches. Delta Electronics recommends migration to DOP-100 family devices and DIAScreen software in DIAStudio v1.1.2 or later.

What this means

What could happen

An attacker with local access to a system running DOPSoft 2 could execute arbitrary code with the privileges of the logged-in user, potentially gaining control of HMI functionality and the connected Delta industrial devices.

Who's at risk

This affects organizations using Delta Electronics DOPSoft 2 software to configure and monitor Delta HMI (Human-Machine Interface) devices, including process engineers, maintenance technicians, and operations staff at manufacturing plants, water utilities, and other facilities running Delta control systems.

How it could be exploited

An attacker must trick a user into opening a malicious project file (.dop file) or unsolicited file attachment in DOPSoft 2. The vulnerability (buffer overflow in file parsing) is triggered when the file is opened, allowing code execution. This requires social engineering or phishing to deliver the malicious file to an engineer or operator with DOPSoft 2 installed.

Prerequisites

Local access to a machine running DOPSoft 2
User interaction required to open a malicious project file or attachment
DOPSoft 2 version 2.00.07 or earlier installed

Actively exploited (KEV)High EPSS score (67.5%)No patch availableUser interaction requiredLocal access requiredAffects HMI/operator interface systems

Exploitability

Actively exploited — confirmed by CISA KEV

Affected products (1)

ProductAffected VersionsFix Status

DOPSoft 2:≤ 2.00.07No fix (EOL)

Remediation & Mitigation

0/4

Do now

0/2

WORKAROUNDEducate users not to open project files or attachments from untrusted sources

HARDENINGImplement email filtering and disable email attachments where possible to prevent phishing delivery of malicious files

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXMigrate from DOPSoft 2 to DOP-100 family devices and DIAScreen in DIAStudio v1.1.2 or later

HARDENINGRestrict local access to machines running DOPSoft 2 to authorized engineering personnel only

CVEs (3)

CVE-2021-38402 CVE-2021-38406 CVE-2021-38404

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/a56d4f74-f859-4146-921f-e29b87f9706f