WECON Technology Co., Ltd.’s latest version of its LeviStudioU should mitigate stack-based buffer overflow and a heap-based buffer overflow vulnerabilities, according to a report with NCCIC.
Successful exploitation of these vulnerabilities could allow an attacker to execute remote code.
LeviStudioU, Versions 1.8.29 and 1.8.44 suffer from the remotely exploitable vulnerabilities, according to the Zero Day Initiative (ZDI).
NSFOCUS security team and Ghirmay Desta worked with Mat Powell of Trend Micro’s Zero Day Initiative to report these vulnerabilities to NCCIC.
In one vulnerability, multiple stack-based buffer overflow vulnerabilities can end up exploited when the application processes specially crafted project files.
CVE-2018-10602 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 8.8.
In addition, multiple heap-based buffer overflow vulnerabilities can end up exploited when the application processes specially crafted project files.
CVE-2018-10606 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 8.8.
The product sees use mainly in the critical manufacturing, energy, and water and wastewater systems sectors. It also sees action on a global basis.
No known public exploits specifically target these vulnerabilities. However, an attacker with low skill level could leverage the vulnerabilities.
Updating to the latest version of China-based WECON’s LeviStudioU may address some of the vulnerabilities.