April 30, 2024 at 10:47AM
Summary:
The vulnerability report concerns Delta Electronics’ CNCSoft-G2 software, where a stack-based buffer overflow could lead to arbitrary code execution. Versions 2.0.0.5 and prior are affected. The report includes mitigation measures, a risk evaluation, affected products, technical details, and background information. CVE-2024-4192 has been assigned to this vulnerability.
From the meeting notes, we have gathered the following key points:
1. The vulnerability is a stack-based buffer overflow in Delta Electronics CNCSoft-G2, versions 2.0.0.5 and prior, which could allow an attacker to execute arbitrary code.
2. A CVE identifier, CVE-2024-4192, has been assigned to this vulnerability, with a CVSS v3.1 base score of 7.8 and a CVSS v4 base score of 8.5.
3. The vulnerability affects critical infrastructure sectors globally and was reported by Natnael Samson to CISA.
Mitigations recommended by Delta Electronics and CISA include updating to CNCSoft-G2 v2.1.0.4 or later, minimizing network exposure for control system devices, using secure remote access methods, and implementing cybersecurity strategies for proactive defense of ICS assets.
No known public exploitation targeting this vulnerability has been reported to CISA at this time.
For further information on recommended practices and mitigation strategies, organizations can refer to the CISA webpage on cisa.gov/ics and the technical information paper, ICS-TIP-12-146-01B. Additionally, organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA.
The vulnerability was initially published on April 30, 2024.
Please let me know if you need more detailed information on any specific point.