CVE-2021-38402 - Vulnerability Details - OpenCVE

Delta Electronic DOPSoft 2 (Version 2.00.07 and prior) lacks proper validation of user-supplied data when parsing specific project files. This could lead to a stack-based buffer overflow while trying to copy to a buffer during font string handling. An attacker could leverage this vulnerability to execute code in the context of the current process.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact total

Vendors	Products
Deltaww	Dopsoft

Configuration 1 [-]

cpe:2.3:a:deltaww:dopsoft:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://us-cert.cisa.gov/ics/advisories/icsa-21-252-02

History

Wed, 23 Apr 2025 20:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: icscert

Published: 2021-09-17T18:54:37.590Z

Updated: 2025-04-23T19:27:44.541Z

Reserved: 2021-08-10T00:00:00.000Z

Link: CVE-2021-38402

Vulnrichment

Updated: 2024-08-04T01:37:16.542Z

NVD

Status : Modified

Published: 2021-09-17T19:15:08.570

Modified: 2024-11-21T06:17:00.567

Link: CVE-2021-38402

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "DOPSoft 2", "vendor": "Delta Electronics", "versions": [{"lessThanOrEqual": "2.00.07", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "kimiya, working with Trend Micro\u2019s Zero Day Initiative"}], "datePublic": "2021-09-09T00:00:00.000Z", "descriptions": [{"lang": "en", "value": "Delta Electronic DOPSoft 2 (Version 2.00.07 and prior) lacks proper validation of user-supplied data when parsing specific project files. This could lead to a stack-based buffer overflow while trying to copy to a buffer during font string handling. An attacker could leverage this vulnerability to execute code in the context of the current process."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-121", "description": "CWE-121 Stack-based Buffer Overflow", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-09-17T18:54:37.000Z", "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-252-02"}], "solutions": [{"lang": "en", "value": "DOPSoft 2 will not receive an update to mitigate these vulnerabilities because it is an end-of-life product. Delta Electronics recommends users to switch to the replacement software when available"}], "source": {"advisory": "ICSA-21-252-02", "discovery": "UNKNOWN"}, "title": "Delta Electronics DOPSoft 2 Stack-Based Buffer Overflow", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "ics-cert@hq.dhs.gov", "DATE_PUBLIC": "2021-09-09T14:34:00.000Z", "ID": "CVE-2021-38402", "STATE": "PUBLIC", "TITLE": "Delta Electronics DOPSoft 2 Stack-Based Buffer Overflow"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "DOPSoft 2", "version": {"version_data": [{"version_affected": "<=", "version_value": "2.00.07"}]}}]}, "vendor_name": "Delta Electronics"}]}}, "credit": [{"lang": "eng", "value": "kimiya, working with Trend Micro\u2019s Zero Day Initiative"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Delta Electronic DOPSoft 2 (Version 2.00.07 and prior) lacks proper validation of user-supplied data when parsing specific project files. This could lead to a stack-based buffer overflow while trying to copy to a buffer during font string handling. An attacker could leverage this vulnerability to execute code in the context of the current process."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-121 Stack-based Buffer Overflow"}]}]}, "references": {"reference_data": [{"name": "https://us-cert.cisa.gov/ics/advisories/icsa-21-252-02", "refsource": "MISC", "url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-252-02"}]}, "solution": [{"lang": "en", "value": "DOPSoft 2 will not receive an update to mitigate these vulnerabilities because it is an end-of-life product. Delta Electronics recommends users to switch to the replacement software when available"}], "source": {"advisory": "ICSA-21-252-02", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T01:37:16.542Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-252-02"}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-04-23T13:16:44.645908Z", "id": "CVE-2021-38402", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-23T19:27:44.541Z"}}]}, "cveMetadata": {"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "cveId": "CVE-2021-38402", "datePublished": "2021-09-17T18:54:37.590Z", "dateReserved": "2021-08-10T00:00:00.000Z", "dateUpdated": "2025-04-23T19:27:44.541Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-252-02", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T01:37:16.542Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2021-38402", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-04-23T13:16:44.645908Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-23T13:16:46.052Z"}}], "cna": {"title": "Delta Electronics DOPSoft 2 Stack-Based Buffer Overflow", "source": {"advisory": "ICSA-21-252-02", "discovery": "UNKNOWN"}, "credits": [{"lang": "en", "value": "kimiya, working with Trend Micro\u2019s Zero Day Initiative"}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "Delta Electronics", "product": "DOPSoft 2", "versions": [{"status": "affected", "version": "unspecified", "versionType": "custom", "lessThanOrEqual": "2.00.07"}]}], "solutions": [{"lang": "en", "value": "DOPSoft 2 will not receive an update to mitigate these vulnerabilities because it is an end-of-life product. Delta Electronics recommends users to switch to the replacement software when available"}], "datePublic": "2021-09-09T00:00:00.000Z", "references": [{"url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-252-02", "tags": ["x_refsource_MISC"]}], "x_generator": {"engine": "Vulnogram 0.0.9"}, "descriptions": [{"lang": "en", "value": "Delta Electronic DOPSoft 2 (Version 2.00.07 and prior) lacks proper validation of user-supplied data when parsing specific project files. This could lead to a stack-based buffer overflow while trying to copy to a buffer during font string handling. An attacker could leverage this vulnerability to execute code in the context of the current process."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-121", "description": "CWE-121 Stack-based Buffer Overflow"}]}], "providerMetadata": {"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert", "dateUpdated": "2021-09-17T18:54:37.000Z"}, "x_legacyV4Record": {"credit": [{"lang": "eng", "value": "kimiya, working with Trend Micro\u2019s Zero Day Initiative"}], "impact": {"cvss": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, "source": {"advisory": "ICSA-21-252-02", "discovery": "UNKNOWN"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "2.00.07", "version_affected": "<="}]}, "product_name": "DOPSoft 2"}]}, "vendor_name": "Delta Electronics"}]}}, "solution": [{"lang": "en", "value": "DOPSoft 2 will not receive an update to mitigate these vulnerabilities because it is an end-of-life product. Delta Electronics recommends users to switch to the replacement software when available"}], "data_type": "CVE", "generator": {"engine": "Vulnogram 0.0.9"}, "references": {"reference_data": [{"url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-252-02", "name": "https://us-cert.cisa.gov/ics/advisories/icsa-21-252-02", "refsource": "MISC"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "eng", "value": "Delta Electronic DOPSoft 2 (Version 2.00.07 and prior) lacks proper validation of user-supplied data when parsing specific project files. This could lead to a stack-based buffer overflow while trying to copy to a buffer during font string handling. An attacker could leverage this vulnerability to execute code in the context of the current process."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-121 Stack-based Buffer Overflow"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2021-38402", "STATE": "PUBLIC", "TITLE": "Delta Electronics DOPSoft 2 Stack-Based Buffer Overflow", "ASSIGNER": "ics-cert@hq.dhs.gov", "DATE_PUBLIC": "2021-09-09T14:34:00.000Z"}}}}, "cveMetadata": {"cveId": "CVE-2021-38402", "state": "PUBLISHED", "dateUpdated": "2025-04-23T19:27:44.541Z", "dateReserved": "2021-08-10T00:00:00.000Z", "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "datePublished": "2021-09-17T18:54:37.590Z", "assignerShortName": "icscert"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:deltaww:dopsoft:*:*:*:*:*:*:*:*", "matchCriteriaId": "B5964F12-0B63-4F7B-AF5D-AB8035660CE2", "versionEndIncluding": "2.00.07", "versionStartIncluding": "2.00", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Delta Electronic DOPSoft 2 (Version 2.00.07 and prior) lacks proper validation of user-supplied data when parsing specific project files. This could lead to a stack-based buffer overflow while trying to copy to a buffer during font string handling. An attacker could leverage this vulnerability to execute code in the context of the current process."}, {"lang": "es", "value": "Delta Electronic DOPSoft 2 (versiones 2.00.07 y anteriores), no comprueba apropiadamente los datos suministrados por el usuario cuando analiza archivos de proyecto espec\u00edficos. Esto podr\u00eda conllevar a un desbordamiento del b\u00fafer en la regi\u00f3n stack de la memoria mientras se intenta copiar en un b\u00fafer durante el manejo de la cadena de fuentes. Un atacante podr\u00eda aprovechar esta vulnerabilidad para ejecutar c\u00f3digo en el contexto del proceso actual"}], "id": "CVE-2021-38402", "lastModified": "2024-11-21T06:17:00.567", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-09-17T19:15:08.570", "references": [{"source": "ics-cert@hq.dhs.gov", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-252-02"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-252-02"}], "sourceIdentifier": "ics-cert@hq.dhs.gov", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-121"}], "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}]}