Delta Industrial Automation DRAS

Monitor5.5ICS-CERT ICSA-22-228-03Aug 16, 2022

Attack VectorLocal

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

Delta Industrial Automation DRAS contains an XML external entity (XXE) injection vulnerability that allows an attacker to read and exfiltrate sensitive information from the affected host machine. The vulnerability exists in all versions before 1.13.20. Exploitation requires local access and user interaction (clicking a link or opening an attachment).

What this means

What could happen

An attacker could trick an operator into opening a malicious file or link, allowing the attacker to read sensitive files and configuration data from the DRAS server, potentially including credentials or process parameters.

Who's at risk

Manufacturing facilities using Delta Electronics DRAS (Remote Automation Solutions) should prioritize this issue. DRAS is typically deployed on engineering workstations or historian servers to manage automated systems. This affects anyone running DRAS versions before 1.13.20.

How it could be exploited

An attacker crafts a malicious XML file or email link containing an XXE payload. When a DRAS user clicks the link or opens the attachment on a machine running DRAS, the application parses the malicious XML and exposes sensitive files from the local system to the attacker.

Prerequisites

Local access to or ability to send email to a DRAS user
User must click a link or open an attachment
DRAS version before 1.13.20 must be installed on the recipient's system

XXE (XML external entity) injection vulnerabilityInformation disclosure riskRequires user interaction (social engineering vector)Low attack complexityNo patch available for end-of-life systems

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (1)

ProductAffected VersionsFix Status

DRAS: All< 1.13.201.13.20

Remediation & Mitigation

0/4

Do now

0/2

HARDENINGTrain operators and engineers to recognize phishing emails and avoid clicking suspicious links or opening unexpected attachments, especially those claiming to contain DRAS-related content

WORKAROUNDImplement email filtering and attachment scanning on workstations running DRAS to block known malicious file types and suspicious external links

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate DRAS to version 1.13.20 or later

Long-term hardening

0/1

HARDENINGSegment engineering workstations running DRAS from general corporate email and internet access where possible

CVEs (1)

CVE-2022-2759

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/5068db8b-ef2e-4030-bdf3-75f740c286b5