WECON Technology Co., Ltd. created a new version to mitigate buffer overflows in its LeviStudio HMI Editor, according to a report with ICS-CERT.
An HMI programming software product, LEVI Studio HMI Editor v1.8.29 and prior suffer from the locally exploitable vulnerabilities, discovered by Sergey Zelenyuk of RVRT, HanM0u of CloverSec Labs, and Brian Gorenc working with Zero Day Initiative.
Successful exploitation of these vulnerabilities may result in arbitrary code execution.
No known public exploits specifically target these vulnerabilities. An attacker with low skill level could leverage the vulnerabilities.
Specially-crafted malicious files may be able to cause stack-based buffer overflow vulnerabilities, which may allow remote code execution.
CVE-2017-16739 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 5.3.
In addition, a specially-crafted malicious file may be able to cause a heap-based buffer overflow vulnerability when opened by a user.
CVE-2017-16737 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 5.3.
The product mainly sees use in the critical manufacturing, energy and water and wastewater systems sectors. It also sees action on a global basis.
China-based WECON recommends users update to the latest version.