WECON Technology Co., Ltd (WECON) has an updated version to mitigate stack-based buffer overflow, heap-based buffer overflow, and memory corruption vulnerabilities in its LeviStudioU, according to a report with NCCIC.
Successful exploitation of these vulnerabilities, discovered by Mat Powell, Ziad Badawi, and Natnael Samson working with Trend Micro’s Zero Day Initiative, could allow attackers to execute arbitrary code.
LeviStudioU Versions 1.8.56 and prior suffer from the vulnerabilities.
In one vulnerability, several heap-based buffer overflow issues have been identified, which may allow arbitrary code execution.
CVE-2019-6539 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 7.8.
In addition, multiple stack-based buffer overflow vulnerabilities may be exploited when parsing strings within project files. The process does not properly validate the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage these vulnerabilities to execute code under the context of the current process.
CVE-2019-6537 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 7.8.
A memory corruption vulnerability has been identified, which may allow arbitrary code execution.
CVE-2019-6541 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 7.8.
The product sees use mainly in the critical manufacturing, energy, and water and wastewater systems sectors. It also sees action on a global basis.
No known public exploits specifically target these vulnerabilities. These vulnerabilities are not exploitable remotely. However, an attacker with low skill level could leverage the vulnerabilities.
China-based WECON produced an updated version to fix the reported problems. Contact WECON customer service for more information about how to obtain the updated version at 0086-591-87868869-894 or go to its website.