WECON Mitigates HMI Holes

Thursday, April 26, 2018 @ 03:04 PM gHale

WECON Technology Co., Ltd. (WECON) has an update to mitigate stack-based buffer overflows in its LeviStudio HMI Editor, and PI Studio HMI Project Programmer, according to a report with ICS-CERT.

Successful exploitation of these vulnerabilities, discovered by Sergey Zelenyuk of RVRT and Michael DePlante of Leahy Center for Digital Investigation at Champlain College, both working with Trend Micro’s Zero Day Initiative, could allow remote code execution.

RELATED STORIES
Delta Electronics Mitigation Plan for PMSoft
BD Patches Pyxis
Vecna Clears VGo Robot Holes
Intel Updates 2G Modem Firmware

The following versions of LEVI Studio HMI Editor and PI Studio HMI Project Programmer, HMI programming software products, suffer from the issue:
• WECON LeviStudioU Version 1.10 part of Wecon LeviStudioU 1.8.29 and prior
• PI Studio HMI Project Programmer Build: November 11, 2017 and prior

In the vulnerability, a buffer overflow can end up triggered by opening a specially crafted file.

CVE-2018-7527 is the case number assigned to these vulnerabilities, which has a CVSS v3 base score of 5.9.

The products see use in the critical manufacturing, energy, and water and wastewater systems sectors. They also see action on a global basis.

No known public exploits specifically target these vulnerabilities. These vulnerabilities is not exploitable remotely.

China-based WECON recommended users update to the latest version.



Leave a Reply

You must be logged in to post a comment.