Delta Electronics Monitoring InfraSuite Device Master exposed to critical flaws
Take action: The well known playbook - if you are using InfraSuite Device Master, make sure it's isolated from internet access and accessible only from a trusted network. Then plan to patch it ASAP, because hackers will eventually find it.
Learn More
Significant security weaknesses in Delta Electronics' operational technology monitoring product, specifically the InfraSuite Device Master, present risks of cyber attackers concealing their harmful operations from the staff of the targeted organization.
InfraSuite Device Master is a data center facility monitoring software that offers real-time observation of essential devices. This includes power and cooling systems, building sensors, and industrial control systems like programmable logic controllers and power meters.
Among the vulnerabilities identified, four distinct types are noted, with two classified as 'critical severity'. These critical vulnerabilities can be exploited remotely by an attacker without authentication to run arbitrary code on the affected system. The other two vulnerabilities, deemed 'high severity', allow for remote code execution and the extraction of sensitive data, such as unencrypted credentials:
- CVE-2023-47207 (CVSS score of 9.8) - Deserialization of Untrusted Data - A deserialization vulnerability in the same version allows unauthenticated attackers to execute code with local administrator privileges. It is exploitable via the internet if the system is web-accessible.
- CVE-2023-39226 (CVSS score 9.8) - Exposed Dangerous Method or Function - Another vulnerability enables unauthenticated attackers to execute arbitrary code via a UDP packet.
- CVE-2023-46690 (CVSS score 8.8) - Path Traversal - Version 1.0.7 of Delta Electronics InfraSuite Device Master contains a path traversal vulnerability () that permits an attacker to write files anywhere in the filesystem, potentially leading to remote code execution.
- CVE-2023-47279 (CVSS score 7.5) - Path Traversal - a vulnerability that allows attackers to disclose user information, obtain plaintext credentials, or perform NTLM relaying through a UDP packet.
Delta Electronics recommends updating their software to v1.0.10 or later.
In practical scenarios, an attacker could use these vulnerabilities to compromise the InfraSuite Device Master, thereby suppressing important alerts to the operator. Further, if the attacker targets other operational technology systems within the victim's environment to cause disruption or damage, they could manipulate the Delta monitoring product to conceal any indicative problems.
