CVE-2023-43817
📋 TL;DR
A buffer overflow vulnerability in Delta Electronics DOPSoft version 2 allows remote code execution when parsing malicious DPS files. Attackers can exploit this by tricking users into opening specially crafted files. This affects industrial automation systems using vulnerable DOPSoft software.
💻 Affected Systems
- Delta Electronics Delta Industrial Automation DOPSoft
📦 What is this software?
Dopsoft by Deltaww
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with attacker gaining full control of the workstation running DOPSoft, potentially leading to industrial process disruption or lateral movement into OT networks.
Likely Case
Attacker executes arbitrary code on the engineering workstation, potentially stealing credentials, modifying PLC programs, or establishing persistence in the industrial network.
If Mitigated
Limited impact with proper network segmentation and user awareness preventing malicious file execution.
🎯 Exploit Status
Exploitation requires user interaction to open malicious DPS file. Technical details and proof-of-concept are publicly available in security advisories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: No official vendor advisory found at time of analysis
Restart Required: No
Instructions:
Check Delta Electronics website for security updates. If patch is available, download and install following vendor instructions. Consider upgrading to newer supported versions if available.
🔧 Temporary Workarounds
Restrict DPS file handling
windowsConfigure Windows to open DPS files with a text editor instead of DOPSoft, or block DPS file execution entirely.
Use Windows Group Policy or registry to modify file associations for .dps extension
Application whitelisting
windowsImplement application control to prevent unauthorized execution of DOPSoft or restrict it to specific users.
Configure Windows AppLocker or similar solution to control DOPSoft execution
🧯 If You Can't Patch
- Implement strict network segmentation to isolate engineering workstations from general corporate network
- Train users to never open DPS files from untrusted sources and implement email filtering for suspicious attachments
🔍 How to Verify
Check if Vulnerable:
Check DOPSoft version in Help > About menu. If version 2.x, system is likely vulnerable.Check Version:
Open DOPSoft, navigate to Help > About menu to view version informationVerify Fix Applied:
Verify DOPSoft has been updated to a version not listed as vulnerable, or that workarounds have been properly implemented.📡 Detection & Monitoring
Log Indicators:
- Windows Event Logs showing DOPSoft crashes, unexpected process creation from DOPSoft, or suspicious file access patterns
Network Indicators:
- Unusual network connections originating from engineering workstations running DOPSoft
SIEM Query:
Process creation where parent_process contains 'dopsoft.exe' AND (process_name contains 'cmd.exe' OR process_name contains 'powershell.exe' OR process_name contains suspicious executable names)🔗 References
- https://blog.exodusintel.com/2024/01/18/delta-electronics-delta-industrial-automation-dopsoft-dps-file-wmailcontentlen-buffer-overflow-remote-code-execution/
- https://blog.exodusintel.com/2024/01/18/delta-electronics-delta-industrial-automation-dopsoft-dps-file-wmailcontentlen-buffer-overflow-remote-code-execution/
