Brief

Summary:

A vulnerability in the DIAScreen software configuration tool for Delta devices, versions prior to v1.3.2, has been identified as a CVSS v3 7.8 Out-of-bounds Write (CWE-787) vulnerability. Successful exploitation could allow remote code execution. The vulnerability, identified as CVE-2023-5068, has been patched by Delta Electronics, and users are recommended to update to version 1.3.2. Mitigation guidance includes defensive measures to minimize risk, avoiding social engineering attacks, and implementing recommended cybersecurity strategies for proactive defense.

View CSAF

1. EXECUTIVE SUMMARY

  • CVSS v3 7.8
  • ATTENTION: Low attack complexity
  • Vendor: Delta Electronics
  • Equipment: DIAScreen
  • Vulnerability: Out-of-bounds Write

2. RISK EVALUATION

Successful exploitation of this vulnerability may allow remote code execution.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Delta Electronics reports the following versions of DIAScreen, a software configuration tool for Delta devices, are affected:

  • DIAScreen: versions prior to v1.3.2

3.2 Vulnerability Overview

3.2.1 Out-of-bounds Write CWE-787

Delta Electronics DIAScreen may write past the end of an allocated buffer while parsing a specially crafted input file. This could allow an attacker to execute code in the context of the current process.

CVE-2023-5068 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

3.3 BACKGROUND

  • CRITICAL INFRASTRUCTURE SECTORS: Energy
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: Taiwan

3.4 RESEARCHER

kimiya working with Trend Micro Zero Day Initiative reported this vulnerability to CISA.

4. MITIGATIONS

Delta Electronics has released a new version (v1.3.2) of DIAScreen to address this issue.
Users can download it at the download center of DIAStudio. (Login required)

CISA recommends users take the following measures to protect themselves from social engineering attacks:

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely.

5. UPDATE HISTORY

  • September 21, 2023: Initial Publication

Highlights content goes here...

Summary:

The Cybersecurity and Infrastructure Security Agency (CISA) has published a View CSAF (Common Sense Automated Fuzzing) document detailing a vulnerability in Delta Electronics’ DIAScreen software configuration tool for Delta devices. The vulnerability, assigned CVE-2023-5068, is an Out-of-bounds Write (CWE-787) with a CVSS v3 base score of 7.8. The vulnerability affects DIAScreen versions prior to v1.3.2 and allows an attacker to execute code in the context of the current process through a specially crafted input file.

Risk Evaluation:
Successful exploitation of this vulnerability may allow remote code execution, posing a significant threat to affected systems and organizations. The vulnerability is considered to have a low attack complexity, making it more accessible to attackers.

Technical Details:
The affected products are Delta Electronics’ DIAScreen software configuration tool, specifically versions prior to v1.3.2. The vulnerability allows an attacker to write past the end of an allocated buffer while parsing a specially crafted input file, enabling remote code execution.

Background Information:
The vulnerability was reported by kimiya, working with Trend Micro Zero Day Initiative, and affects critical infrastructure sectors such as Energy worldwide. The organization’s headquarters is located in Taiwan, and the vulnerability has not been publicly exploited specifically targeting this vulnerability at this time.

Mitigations:
Delta Electronics has released a new version (v1.3.2) of DIAScreen to address this issue. Users are advised to download the updated version from the DIAStudio download center (login required). CISA also recommends users take measures to protect themselves from social engineering attacks, including avoiding email scams and social engineering attacks.

Recommendations:
CISA recommends organizations perform proper impact analysis and risk assessment prior to deploying defensive measures and implement recommended cybersecurity strategies for proactive defense of ICS assets. Additionally, organizations observing suspected malicious activity are encouraged to follow established internal procedures and report findings to CISA.

Update History:
The View CSAF document was initially published on September 21, 2023.

Cybersecurity and Infrastructure Security Agency

Quick Insight
RADA.AI
RADA.AI
Hello! I'm RADA.AI - Regulatory Analysis and Decision Assistance. Your Intelligent guide for compliance and decision-making. How can i assist you today?
Suggested

Form successfully submitted. One of our GRI rep will contact you shortly

Thanking You!

Login

Enter your Email

Enter your email id below to signup.

Enter your Email

Enter your email id below to signup.
Individual Plan
$125 / month OR $1250 / year
Features
Best for: Researchers, Legal professionals, Academics
Enterprise Plan
Contact for Pricing
Features
Best for: Law Firms, Corporations, Government Bodies