CVE-2024-39354 Delta Electronics CVE debrief

Who should care

Organizations using Delta Electronics DIAScreen in industrial automation and HMI development environments, particularly those in manufacturing, process control, and critical infrastructure sectors. Security teams responsible for OT/ICS asset management and patch deployment should prioritize this update.

Technical summary

The vulnerability is a stack-based buffer overflow in the CEtherIPTagItem component of Delta Electronics DIAScreen. The flaw can be exploited when a user opens a malicious file, leading to arbitrary code execution. The CVSS 3.1 vector is AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, indicating a local attack vector with low attack complexity, no privileges required, but user interaction required. The impact is high across confidentiality, integrity, and availability. The vendor has addressed this in version 1.5.0.

Defensive priority

HIGH

Recommended defensive actions

• Upgrade Delta Electronics DIAScreen to version 1.5.0 or later. The vendor fix is available through the Delta DIAScreen download portal (login required).
• Apply defense-in-depth controls for industrial control systems environments, including network segmentation and restricted file execution policies.
• Train users to recognize and avoid opening untrusted files, particularly in engineering workstation environments.
• Review and implement CISA ICS recommended practices for securing operational technology environments.
• Monitor for anomalous process execution and file access patterns on DIAScreen host systems.

Evidence notes

CISA CSAF advisory ICSA-24-312-02 confirms the vulnerability affects DIAScreen versions prior to 1.5.0, with a CVSS 3.1 score of 7.8 (HIGH). The attack vector is local (AV:L) with required user interaction (UI:R). The vendor has released version 1.5.0 as a security update.

Official resources