CVE-2023-43821
📋 TL;DR
A stack-based buffer overflow vulnerability in Delta Electronics DOPSoft allows remote code execution when users open malicious DPS files. Attackers can exploit this without authentication by tricking users into opening specially crafted files. Organizations using Delta Industrial Automation DOPSoft for HMI programming are affected.
💻 Affected Systems
- Delta Electronics Delta Industrial Automation DOPSoft
📦 What is this software?
Dopsoft by Deltaww
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with attacker gaining full control of the workstation, potentially leading to lateral movement within industrial control networks and disruption of manufacturing processes.
Likely Case
Attacker executes arbitrary code on the engineering workstation, potentially stealing credentials, installing malware, or disrupting HMI programming activities.
If Mitigated
Limited impact with proper segmentation and user awareness preventing successful exploitation attempts.
🎯 Exploit Status
Exploitation requires user interaction (opening malicious file) but the exploit itself is straightforward once the file is opened.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown from provided references - check Delta Electronics advisory
Vendor Advisory: Not provided in references - check Delta Electronics website
Restart Required: Yes
Instructions:
1. Check Delta Electronics security advisory for patch availability
2. Download and install the latest DOPSoft version
3. Restart the system after installation
4. Verify patch installation
🔧 Temporary Workarounds
Restrict DPS file handling
windowsBlock or restrict DPS file extensions from being opened by DOPSoft
Use Group Policy or application whitelisting to block .dps files
Configure Windows to open .dps files with a different application
User awareness training
allTrain users to only open DPS files from trusted sources
🧯 If You Can't Patch
- Segment DOPSoft workstations from critical networks using firewalls
- Implement application whitelisting to prevent unauthorized code execution
🔍 How to Verify
Check if Vulnerable:
Check DOPSoft version against patched version in vendor advisoryCheck Version:
Check Help > About in DOPSoft application or examine installed programs in Windows Control PanelVerify Fix Applied:
Verify DOPSoft version matches or exceeds patched version, test with known safe DPS files📡 Detection & Monitoring
Log Indicators:
- Application crashes of DOPSoft.exe
- Unusual process creation from DOPSoft
- Multiple failed file parsing attempts
Network Indicators:
- Unexpected outbound connections from DOPSoft workstations
- File transfers to/from engineering workstations
SIEM Query:
Process Creation where Image contains 'DOPSoft' AND ParentImage contains 'explorer' OR CommandLine contains '.dps'🔗 References
- https://blog.exodusintel.com/2024/01/18/delta-electronics-delta-industrial-automation-dopsoft-dps-file-wlogtitlesactionlen-buffer-overflow-remote-code-execution/
- https://blog.exodusintel.com/2024/01/18/delta-electronics-delta-industrial-automation-dopsoft-dps-file-wlogtitlesactionlen-buffer-overflow-remote-code-execution/
