PatchSiren cyber security CVE debrief
CVE-2024-39605 Delta Electronics CVE debrief
CVE-2024-39605 is a stack-based buffer overflow vulnerability in Delta Electronics DIAScreen, an industrial control system HMI/SCADA software. The flaw exists in the BACnetParameter component and can be exploited when a valid user is tricked into opening a maliciously crafted file. Successful exploitation allows remote code execution with the privileges of the user running the application. The vulnerability was disclosed by CISA on November 7, 2024, with a CVSS 3.1 score of 7.8 (HIGH). Delta Electronics has released version 1.5.0 to address this issue. The attack requires local access (AV:L) and user interaction (UI:R), but no privileges (PR:N), making it a significant risk in environments where operators routinely open project files from external sources.
- Vendor
- Delta Electronics
- Product
- DIAScreen
- CVSS
- HIGH 7.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-11-07
- Original CVE updated
- 2024-11-07
- Advisory published
- 2024-11-07
- Advisory updated
- 2024-11-07
Who should care
Industrial control system operators, OT security teams, manufacturing security engineers, SCADA/HMI administrators, and organizations using Delta Electronics DIAScreen for human-machine interface applications in critical infrastructure or manufacturing environments.
Technical summary
The vulnerability is a stack-based buffer overflow in the BACnetParameter parsing functionality of Delta Electronics DIAScreen. When processing a malformed project file, insufficient bounds checking allows attacker-controlled data to overwrite the stack, leading to arbitrary code execution. The attack vector requires social engineering to convince a user to open a malicious file, but once triggered, the code executes with the user's privileges. This is particularly concerning in operational technology environments where engineering workstations may have privileged access to control systems. The CVSS 3.1 vector AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H reflects local attack vector, low complexity, no privilege requirements, user interaction needed, and high impact across confidentiality, integrity, and availability.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade to DIAScreen v1.5.0 or later immediately on all engineering workstations and operator stations
- Implement application whitelisting to prevent execution of unauthorized DIAScreen project files
- Train operators and engineers on phishing and social engineering risks, emphasizing verification of file sources before opening
- Deploy endpoint detection and response (EDR) solutions on systems running DIAScreen to detect anomalous process behavior
- Restrict network access for engineering workstations to essential operational technology networks only
- Establish a patch management process for industrial software with regular vendor security advisory monitoring
Evidence notes
Vulnerability disclosed via CISA ICS Advisory ICSA-24-312-02. Affected versions confirmed as DIAScreen prior to v1.5.0. Vendor fix released and publicly available. No known exploitation in the wild or KEV listing at time of disclosure.
Official resources
-
CVE-2024-39605 CVE record
CVE.org
-
CVE-2024-39605 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2024-11-07