27 June 2018

Vulnerability in Delta Industrial Automation COMMGR software

A buffer overflow vulnerability has been identified in Delta Industrial Automation COMMGR – communication management software by Delta Electronics. Successful exploitation of the vulnerability could allow remote code execution, cause the application to crash, or cause a denial-of-service condition in the application server.

The issue is caused by the application server using a fixed-length stack buffer, where an unverified length value can be read from the network packets via a specific network port, causing the buffer to be overwritten.

The vulnerability, CVE-2018-10594, affects the following solutions:

  • COMMGR software Version 1.08 and prior;
  • PLC simulators DVPSimulator EH2, EH3, ES2, SE, SS2

A CVSS v3 base score of 7.3 has been calculated for this vulnerability.

To fix the vulnerability, the vendor recommends installing a new version (COMMGR 1.09) of the software, as well as using application whitelists to allow only trusted communications via Ports 502 and 10002.

Source: ICS-CERT