CVE-2023-47207: Critical Vulnerability in Delta Electronics’ OT Security

Critical vulnerabilities in Delta Electronics’ Operational Technology (OT) monitoring product could enable hackers to conceal their activities from the staff of the targeted organization.

The issue affects a Delta product named InfraSuite Device Master, version 1.0.7 and earlier. The vulnerabilities were disclosed in late November when the Cybersecurity and Infrastructure Security Agency (CISA) and the Zero Day Initiative (ZDI) issued corresponding warnings. Delta Electronics advises upgrading their software to version 1.0.10 or later.

InfraSuite Device Master is a software for monitoring and managing data center infrastructure, allowing real-time tracking of the status of critical devices, including power and cooling systems, building sensors, and Industrial Control Systems (ICS) such as Programmable Logic Controllers (PLC) and energy meters.

Four vulnerabilities were identified, two of which were rated as ‘critical’. These critical flaws could be exploited by a remote, unauthenticated attacker to execute arbitrary code on the target system.

The other two high-risk vulnerabilities could be used for remote code execution on a remote device and for obtaining sensitive information, such as plaintext passwords.

ZDI reported that one of the critical vulnerabilities tracked as CVE-2023-47207 (CVSS: 9.8), could be exploited via the internet if the system is network accessible. Successful exploitation of this vulnerability would allow the attacker to gain administrative privileges.

In practical scenarios, an attacker could use these vulnerabilities to compromise the InfraSuite Device Master and hide potentially important warnings from the operator. If the attacker uses other exploits to attack the OT system within the victim’s environment to cause disruptions or damage, they could also hack the Delta monitoring product to conceal issues in the OT system.