A buffer overflow vulnerability has been identified in Delta Industrial Automation COMMGR – communication management software by Delta Electronics. Successful exploitation of the vulnerability could allow remote code execution, cause the application to crash, or cause a denial-of-service condition in the application server.
The issue is caused by the application server using a fixed-length stack buffer, where an unverified length value can be read from the network packets via a specific network port, causing the buffer to be overwritten.
The vulnerability, CVE-2018-10594, affects the following solutions:
- COMMGR software Version 1.08 and prior;
- PLC simulators DVPSimulator EH2, EH3, ES2, SE, SS2
A CVSS v3 base score of 7.3 has been calculated for this vulnerability.
To fix the vulnerability, the vendor recommends installing a new version (COMMGR 1.09) of the software, as well as using application whitelists to allow only trusted communications via Ports 502 and 10002.