PatchSiren cyber security CVE debrief
CVE-2024-47962 Delta Electronics CVE debrief
A stack-based buffer overflow vulnerability in Delta Electronics CNCSoft-G2 version 2.1.0.10 allows code execution through user interaction with malicious content. The flaw stems from improper length validation when copying user-supplied data to a fixed-length stack buffer. An attacker can leverage social engineering to manipulate an insider into visiting a malicious page or opening a malicious file, resulting in arbitrary code execution within the context of the current process. The vulnerability was disclosed by CISA on October 10, 2024, with a CVSS 3.1 score of 7.8 (HIGH).
- Vendor
- Delta Electronics
- Product
- CNCSoft-G2
- CVSS
- HIGH 7.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-10-10
- Original CVE updated
- 2024-10-10
- Advisory published
- 2024-10-10
- Advisory updated
- 2024-10-10
Who should care
Organizations operating Delta Electronics CNCSoft-G2 in manufacturing environments, particularly those in CNC machining and industrial automation. Security teams responsible for OT/ICS environments, system administrators managing shop floor workstations, and personnel involved in supply chain or operational technology security should prioritize this patch due to the high severity and potential for code execution through relatively simple social engineering tactics.
Technical summary
CVE-2024-47962 is a stack-based buffer overflow in Delta Electronics CNCSoft-G2 version 2.1.0.10. The vulnerability occurs due to insufficient validation of user-supplied data length before copying to a fixed-length stack buffer. The CVSS 3.1 vector AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H indicates a local attack vector requiring user interaction but no privileges, with high impact on confidentiality, integrity, and availability. Successful exploitation requires an attacker to socially engineer an insider into visiting a malicious page or opening a malicious file, after which code executes in the context of the current process. The vendor has released version 2.1.0.16 to address this vulnerability.
Defensive priority
HIGH
Recommended defensive actions
- Update Delta Electronics CNCSoft-G2 to version 2.1.0.16 or later as provided by the vendor
- Implement network segmentation to limit exposure of industrial control systems to untrusted networks
- Apply principle of least privilege for user accounts accessing CNCSoft-G2 systems
- Conduct user awareness training on recognizing and avoiding social engineering attacks, particularly regarding unsolicited emails with web links or attachments
- Deploy application whitelisting to prevent execution of unauthorized code on systems running CNCSoft-G2
- Monitor for anomalous process behavior and unexpected network connections from CNCSoft-G2 applications
- Establish incident response procedures specifically for industrial control system compromises
Evidence notes
CISA ICS Advisory ICSA-24-284-21 confirms the vulnerability affects CNCSoft-G2 version 2.1.0.10. The advisory identifies the root cause as lack of proper length validation for user-supplied data copied to a fixed-length stack-based buffer. The attack vector requires local access with user interaction (AV:L/AC:L/PR:N/UI:R per CVSS 3.1).
Official resources
-
CVE-2024-47962 CVE record
CVE.org
-
CVE-2024-47962 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2024-10-10