CVE-2024-1595
📋 TL;DR
Delta Electronics CNCSoft-B DOPSoft versions before 4.0.0.82 insecurely load dynamic link libraries (DLLs), allowing attackers to perform DLL hijacking attacks. This vulnerability could enable local attackers to execute arbitrary code with the privileges of the application, potentially leading to system compromise. Industrial control system operators using this software are affected.
💻 Affected Systems
- Delta Electronics CNCSoft-B DOPSoft
📦 What is this software?
Cncsoft B by Deltaww
Dopsoft by Deltaww
⚠️ Risk & Real-World Impact
Worst Case
Complete system takeover with administrative privileges, allowing attackers to disrupt industrial operations, steal sensitive data, or deploy ransomware.
Likely Case
Local privilege escalation leading to unauthorized access to the CNC system, potentially allowing manipulation of manufacturing processes or data exfiltration.
If Mitigated
Limited impact with proper access controls, network segmentation, and application whitelisting preventing successful exploitation.
🎯 Exploit Status
DLL hijacking is a well-known attack technique. Exploitation requires placing a malicious DLL in a location where the application searches for libraries.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v4.0.0.82
Vendor Advisory: https://www.cisa.gov/news-events/ics-advisories/icsa-24-053-01
Restart Required: Yes
Instructions:
1. Download v4.0.0.82 or later from Delta Electronics official website. 2. Backup current configuration and data. 3. Install the update following vendor instructions. 4. Restart the system. 5. Verify the update was successful.
🔧 Temporary Workarounds
Application Whitelisting
windowsImplement application whitelisting to prevent execution of unauthorized DLLs.
Restrict DLL Search Path
windowsUse Group Policy or registry settings to restrict DLL search paths to trusted directories only.
🧯 If You Can't Patch
- Implement strict access controls to limit who can access systems running vulnerable software.
- Segment industrial control network from corporate network to reduce attack surface.
🔍 How to Verify
Check if Vulnerable:
Check software version in About dialog or program properties. If version is below 4.0.0.82, system is vulnerable.Check Version:
Check program properties or About dialog in CNCSoft-B DOPSoft interface.Verify Fix Applied:
Verify installed version is 4.0.0.82 or higher in software properties.📡 Detection & Monitoring
Log Indicators:
- Unexpected DLL loading from unusual directories
- Failed DLL loading attempts from non-standard paths
Network Indicators:
- Unusual outbound connections from CNC systems
- Anomalous network traffic patterns
SIEM Query:
EventID=4688 AND (ProcessName="*CNCSoft*" OR ProcessName="*DOPSoft*") AND CommandLine LIKE "%dll%"