OTPulse

Delta Electronics CNCSoft-B

Plan PatchCVSS 7.8ICS-CERT ICSA-24-060-01Feb 29, 2024
Delta Electronics
Attack path
Attack VectorLocal
Auth RequiredNone
ComplexityLow
User InteractionRequired
Summary

CNCSoft-B contains a buffer overflow vulnerability (CWE-121) that allows local code execution. Successful exploitation requires local access to a workstation running the software and user interaction, such as opening a malicious file. An attacker could execute arbitrary code with application privileges, potentially modifying control logic, parameters, or system configurations. The vulnerability affects CNCSoft-B version 1.0.0.4 and earlier. Delta Electronics has released version 1.0.0.4 with Issue Date 2024-01-23 as the remediated version.

What this means
What could happen
An attacker with local access to a machine running CNCSoft-B could execute arbitrary code with the privileges of the application, potentially gaining full control of the engineering workstation and the ability to modify CNC or control system configurations.
Who's at risk
Organizations operating CNC machines or Delta Electronics control systems that use CNCSoft-B engineering software on operator or engineering workstations. This primarily affects manufacturing facilities, machine shops, and automation integrators using Delta PLCs, drives, or motion controllers.
How it could be exploited
An attacker must have local access to a workstation running CNCSoft-B and persuade a user to open a malicious file or interact with a specially crafted input. Once executed, the attacker gains code execution in the context of the application, allowing modification of control logic or system parameters.
Prerequisites
  • Local access to the workstation running CNCSoft-B
  • User interaction required (file open or interaction with malicious input)
  • Affected version CNCSoft-B 1.0.0.4 or earlier
Local access required (reduces remote risk)User interaction requiredAffects engineering/control softwareNo patch available yet (advisory states fix available, but product documentation suggests no fix planned)
Exploitability
Unlikely to be exploited — EPSS score 0.1%
Affected products (1)
ProductAffected VersionsFix Status
CNCSoft-B: <=1.0.0.4≤ 1.0.0.41.0.0.4 (2024-01-23+)
Remediation & Mitigation
0/4
Do now
0/2
HARDENINGRestrict local access to engineering workstations running CNCSoft-B through physical and logical access controls
WORKAROUNDEducate users not to open files or interact with untrusted input on CNCSoft-B workstations
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate CNCSoft-B to version 1.0.0.4 dated 2024-01-23 or later
Long-term hardening
0/1
HARDENINGIsolate control system networks and engineering workstations from business networks using firewalls and network segmentation
View full CISA ICS-CERT advisory
API: /api/v1/advisories/1a20e590-bdfe-43cb-9626-fb519d5714e6

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.

Delta Electronics CNCSoft-B | CVSS 7.8 - OTPulse