"Delta Electronics Patches Serious Flaws in Industrial Networking Devices"

Taiwan-based Delta Electronics has recently patched potentially serious vulnerabilities in two of its industrial networking products.  Security researchers at CyberDanube discovered the flaws in Delta's DX-2100-L1-CN 3G cloud router and the DVW-W02W2-E2 industrial wireless access point.  The researchers conducted their analysis on so-called digital twins, which involve virtualization techniques, rather than by looking at the actual devices.  The researchers stated that in the 3G router, they discovered an authenticated command injection issue and a stored cross-site scripting (XSS) flaw.  The researchers noted that the command injection vulnerability can allow an attacker with credentials for the web service to execute system commands on the OS with root privileges.  The researchers stated that while exploitation of the security hole requires authentication, the XSS vulnerability could be leveraged by an attacker to bypass the authentication requirement.  In the case of the Delta access point, the researchers discovered an authenticated command injection vulnerability.  The researchers stated that this vulnerability allows an attacker to gain full access to the underlying operating system of the device with all implications.  The researchers noted that if such a device is acting as a key device in an industrial network or controls various critical equipment via serial ports, more extensive damage in the corresponding network can be done by an attacker.  The researchers noted that in the case of this vulnerability, an attacker could obtain the credentials required for exploitation by doing ARP spoofing on the network or through brute-force attacks, noting that the difficulty of obtaining the credentials generally depends on the strength of the password.  The vulnerabilities are both rated "high impact" by CyberDanube and were reported to the vendor in August.  Firmware patches were released in November.  The cybersecurity firm has released advisories with technical details for both products (DX-2100-L1-CN and DVW-W02W2-E2).

SecurityWeek reports: "Delta Electronics Patches Serious Flaws in Industrial Networking Devices"