Delta Electronics DOPSoft

Monitor7.8ICS-CERT ICSA-23-031-01Jan 31, 2023

Attack VectorLocal

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

DOPSoft versions 4.00.16.22 and earlier contain buffer underflow (CWE-121) and out-of-bounds write (CWE-787) vulnerabilities that could allow code execution. Delta Electronics has not released a patch for DOPSoft but recommends migrating to DIAScreen version 1.3.0. Exploitation requires local access to a workstation running DOPSoft and user interaction. No public exploits are known, and these vulnerabilities are not remotely exploitable.

What this means

What could happen

An attacker with local access to a workstation running DOPSoft could execute arbitrary code with the same privileges as the application, potentially gaining control of the engineering environment and the ability to modify HMI/SCADA projects before deployment to control systems.

Who's at risk

Organizations operating Delta Electronics HMI/SCADA systems that use DOPSoft for engineering and project management on workstations should be aware of this vulnerability. This affects water utilities, electric utilities, chemical plants, and other facilities that deploy Delta HMI panels in critical control applications.

How it could be exploited

An attacker must first gain local access to a workstation running DOPSoft, then trigger one of the memory corruption vulnerabilities (CWE-121 buffer underflow or CWE-787 out-of-bounds write) through malformed input or a specially crafted file. Successful exploitation allows arbitrary code execution in the context of the DOPSoft application.

Prerequisites

Local access to a workstation running DOPSoft version 4.00.16.22 or earlier
User interaction required to open a malicious file or input
No special credentials or elevated privileges required

Local access required only (not remotely exploitable)Memory corruption vulnerabilities (buffer underflow and out-of-bounds write)No patch available from vendorUser interaction required but plausible via social engineeringAffects engineering/project management environment

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (1)

ProductAffected VersionsFix Status

DOPSoft: DOPSoft:≤ 4.00.16.22No fix (EOL)

Remediation & Mitigation

0/4

Do now

0/2

HARDENINGRestrict physical and network access to DOPSoft engineering workstations; ensure only authorized personnel can access machines running the software

WORKAROUNDTrain engineering staff to avoid opening files from untrusted sources and to verify the integrity of project files before loading them into DOPSoft

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXMigrate from DOPSoft to Delta Electronics DIAScreen version 1.3.0 or later

Mitigations - no patch available

0/1

DOPSoft: DOPSoft: has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGImplement application whitelisting on engineering workstations to prevent execution of unauthorized code

CVEs (2)

CVE-2023-0123 CVE-2023-0124

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/d8b6bccc-b070-4b4a-9d43-b7711affc10d