CVE-2020-27275
📋 TL;DR
Delta Electronics DOPSoft versions 4.0.8.21 and earlier contain an out-of-bounds write vulnerability when processing project files, allowing attackers to execute arbitrary code on affected systems. This affects industrial control system operators using Delta HMI software for programming and configuration.
💻 Affected Systems
- Delta Electronics DOPSoft
📦 What is this software?
Dopsoft by Deltaww
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with attacker gaining full control of the engineering workstation, potentially enabling lateral movement to industrial control systems.
Likely Case
Remote code execution on engineering workstations leading to data theft, manipulation of HMI programs, or disruption of industrial processes.
If Mitigated
Limited impact if systems are air-gapped, have strict file transfer controls, and use principle of least privilege.
🎯 Exploit Status
Exploitation requires user interaction to open a malicious project file. Multiple ZDI advisories suggest sophisticated exploit development.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.0.8.22 or later
Vendor Advisory: https://www.deltaww.com/en-US/Service/DownloadCenter
Restart Required: Yes
Instructions:
1. Download DOPSoft version 4.0.8.22 or later from Delta Electronics website. 2. Uninstall previous version. 3. Install updated version. 4. Restart system.
🔧 Temporary Workarounds
Restrict project file sources
allOnly open project files from trusted sources and implement file integrity checking
Application whitelisting
windowsImplement application control to prevent execution of unauthorized code
Using Windows AppLocker or similar: New-AppLockerPolicy -RuleType Publisher,Path -User Everyone -Action Deny
🧯 If You Can't Patch
- Air-gap engineering workstations from untrusted networks
- Implement strict access controls and monitor for suspicious file activity
🔍 How to Verify
Check if Vulnerable:
Check DOPSoft version via Help > About in the application or examine installed programs in Windows Control PanelCheck Version:
wmic product where name="DOPSoft" get versionVerify Fix Applied:
Verify installed version is 4.0.8.22 or later and test opening known-good project files📡 Detection & Monitoring
Log Indicators:
- Unexpected process creation from DOPSoft.exe
- Memory access violations in application logs
- Unusual file operations from DOPSoft process
Network Indicators:
- Unexpected outbound connections from engineering workstations
- File transfers to/from DOPSoft directories
SIEM Query:
source="windows" process_name="DOPSoft.exe" AND (event_id=4688 OR event_id=4663)🔗 References
- https://us-cert.cisa.gov/ics/advisories/icsa-21-005-05
- https://www.zerodayinitiative.com/advisories/ZDI-21-028/
- https://www.zerodayinitiative.com/advisories/ZDI-21-029/
- https://www.zerodayinitiative.com/advisories/ZDI-21-032/
- https://www.zerodayinitiative.com/advisories/ZDI-21-034/
- https://www.zerodayinitiative.com/advisories/ZDI-21-035/
- https://www.zerodayinitiative.com/advisories/ZDI-21-036/
- https://www.zerodayinitiative.com/advisories/ZDI-21-037/
- https://www.zerodayinitiative.com/advisories/ZDI-21-038/
- https://us-cert.cisa.gov/ics/advisories/icsa-21-005-05
- https://www.zerodayinitiative.com/advisories/ZDI-21-028/
- https://www.zerodayinitiative.com/advisories/ZDI-21-029/
- https://www.zerodayinitiative.com/advisories/ZDI-21-032/
- https://www.zerodayinitiative.com/advisories/ZDI-21-034/
- https://www.zerodayinitiative.com/advisories/ZDI-21-035/
- https://www.zerodayinitiative.com/advisories/ZDI-21-036/
- https://www.zerodayinitiative.com/advisories/ZDI-21-037/
- https://www.zerodayinitiative.com/advisories/ZDI-21-038/
