In recent news, security research shows that Taiwan-based worldwide electronics ‘critical manufacturing’ giant Delta Electronics has a high-risk vulnerability in its TPEditor product. Delta Electronics has existed for over 60 years and is, according to their official website, “a leading global provider of innovative RF, microwave, and millimeter wave interconnect solutions.”
The Delta Electronics TPEditor Vulnerability
On August 24th, 2021 a software vulnerability report was released on the U.S. Cybersecurity and Infrastructure Security Agency’s (CISA) Security Advisories web pages. Security researcher ‘Kimiya’ reported the news to CISA via Trend Micro’s Zero Day Initiative. The vulnerability itself is related to Delta Electronics’ TPEditor product. The TPEditor is programming software that is utilized in Delta Electronics text panels which are HMI (Human Machine Interface) system controllers widely used in the industry. Specifically, TPEditor is software programmed for Delta’s Textpanel keypad buttons for the TP series, especially for the TP70P touch screen series.
Technical Details
The software vulnerability has been assigned CVE (Common Vulnerabilities and Exposures) code CVE-2021-33007. This is a high-risk vulnerability with a CVSS score of 7.8. It is a ‘heap-based buffer overflow’ (CWE-122) vulnerability that can essentially allow a malicious remote attacker to take external control of an unpatched system. The vulnerability exists due to a boundary error when processing a specially crafted project file. A remote attacker can pass specially crafted data to the application, trigger a heap-based buffer overflow and execute arbitrary code on the target system.
Vulnerable Software Versions
The software version that is at risk is Delta Industrial Automation TPEditor: 1.98.06. Versions 1.98.06 and earlier are vulnerable to the above software vulnerability.
Important User Information
According to the latest information from CISA security advisory reports, it is imperative that customers/users of Delta Electronic products, especially the TPEditor update (patch) the software. A fix has been released that mitigates the above issues. The updated version is v1.98.07 and can be downloaded here.