CVE-2020-27281 – Delta Industrial Automation CNCSoft ScreenEditor DPB File Parsing Stack-based Buffer Overflow Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2020-27281
A stack-based buffer overflow may exist in Delta Electronics CNCSoft ScreenEditor versions 1.01.26 and prior when processing specially crafted project files, which may allow an attacker to execute arbitrary code. Es posible que se presente un desbordamiento del búfer en la región stack de la memoria en Delta Electronics CNCSoft ScreenEditor versiones 1.01.26 y anteriores al procesar archivos de proyecto especialmente diseñados, lo que puede permitir a un atacante ejecutar código arbitrario This vulnerability allows remote attackers to execute arbitrary code on affected installations of Delta Industrial Automation CNCSoft ScreenEditor. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of DPB files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. • https://us-cert.cisa.gov/ics/advisories/icsa-21-005-06 https://www.zerodayinitiative.com/advisories/ZDI-21-039 • CWE-121: Stack-based Buffer Overflow CWE-787: Out-of-bounds Write •
CVE-2020-27293 – Delta Industrial Automation CNCSoft-B DOPSoft DPA File Parsing Type Confusion Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2020-27293
Delta Electronics CNCSoft-B Versions 1.0.0.2 and prior has a type confusion issue while processing project files, which may allow an attacker to execute arbitrary code. Delta Electronics CNCSoft-B versiones 1.0.0.2 y anteriores, presenta un problema de confusión de tipos al procesar archivos de proyecto, lo que puede permitir a un atacante ejecutar código arbitrario This vulnerability allows remote attackers to execute arbitrary code on affected installations of Delta Industrial Automation CNCSoft-B. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of DPA files by the DOPSoft program. The issue results from the lack of proper validation of user-supplied data, which can result in a type confusion condition. An attacker can leverage this vulnerability to execute code in the context of the current process. • https://us-cert.cisa.gov/ics/advisories/icsa-21-007-04 https://www.zerodayinitiative.com/advisories/ZDI-21-045 • CWE-843: Access of Resource Using Incompatible Type ('Type Confusion') •
CVE-2020-27289 – Delta Industrial Automation CNCSoft-B DOPSoft DPA File Parsing Untrusted Pointer Dereference Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2020-27289
Delta Electronics CNCSoft-B Versions 1.0.0.2 and prior has a null pointer dereference issue while processing project files, which may allow an attacker to execute arbitrary code. Delta Electronics CNCSoft-B versiones 1.0.0.2 y anteriores, presenta un problema de desreferencia de puntero null mientras procesa archivos de proyecto, lo que puede permitir a un atacante ejecutar código arbitrario This vulnerability allows remote attackers to execute arbitrary code on affected installations of Delta Industrial Automation CNCSoft-B. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of DPA files in the DOPSoft application. The issue results from the lack of proper validation of a user-supplied value prior to dereferencing it as a pointer. An attacker can leverage this vulnerability to execute code in the context of the current process. • https://us-cert.cisa.gov/ics/advisories/icsa-21-007-04 https://www.zerodayinitiative.com/advisories/ZDI-21-040 • CWE-476: NULL Pointer Dereference CWE-822: Untrusted Pointer Dereference •
CVE-2020-27291 – Delta Industrial Automation CNCSoft-B DOPSoft XLS File Parsing Out-Of-Bounds Read Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2020-27291
Delta Electronics CNCSoft-B Versions 1.0.0.2 and prior is vulnerable to an out-of-bounds read while processing project files, which may allow an attacker to execute arbitrary code. Delta Electronics CNCSoft-B versiones 1.0.0.2 y anteriores, es vulnerable a una lectura fuera de límites mientras procesa archivos de proyecto, lo que puede permitir a un atacante ejecutar código arbitrario This vulnerability allows remote attackers to execute arbitrary code on affected installations of Delta Industrial Automation CNCSoft-B. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of XLS files in the DOPSoft application. The issue results from the lack of proper validation of user-supplied data, which can result in a read before the start of an allocated data structure. An attacker can leverage this vulnerability to execute code in the context of the current process. • https://us-cert.cisa.gov/ics/advisories/icsa-21-007-04 https://www.zerodayinitiative.com/advisories/ZDI-21-042 • CWE-125: Out-of-bounds Read •
CVE-2020-27287 – Delta Industrial Automation CNCSoft-B DOPSoft XLS File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2020-27287
Delta Electronics CNCSoft-B Versions 1.0.0.2 and prior is vulnerable to an out-of-bounds write while processing project files, which may allow an attacker to execute arbitrary code. Delta Electronics CNCSoft-B versiones 1.0.0.2 y anteriores es vulnerable a una escritura fuera de límites mientras procesa archivos de proyecto, lo que puede permitir a un atacante ejecutar código arbitrario This vulnerability allows remote attackers to execute arbitrary code on affected installations of Delta Industrial Automation CNCSoft-B. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of XLS files in the DOPSoft application. The issue results from the lack of proper validation of user-supplied data, which can result in a write after the end of an allocated data structure. An attacker can leverage this vulnerability to execute code in the context of the current process. • https://us-cert.cisa.gov/ics/advisories/icsa-21-007-04 https://www.zerodayinitiative.com/advisories/ZDI-21-030 https://www.zerodayinitiative.com/advisories/ZDI-21-031 https://www.zerodayinitiative.com/advisories/ZDI-21-041 https://www.zerodayinitiative.com/advisories/ZDI-21-043 https://www.zerodayinitiative.com/advisories/ZDI-21-044 • CWE-787: Out-of-bounds Write •