Critical vulnerabilities have been identified in WECON LeviStudioU. Successful exploitation of these vulnerabilities could allow an attacker to execute remote code.
LeviStudioU is used to develop HMI-solutions in energy, critical manufacturing, water and wastewater systems. The vulnerabilities affect the following versions: 1.8.29 and 1.8.44.
The problems are caused by the multiple stack-based (CVE-2018-10602) and heap-based (CVE-2018-10606) buffer overflow vulnerabilities. They can be exploited when the application processes specially crafted project files.
A CVSS v.3 base score of 8.8 has been calculated for each of the above vulnerabilities.
Updating to the latest version of LeviStudioU may address some of the vulnerabilities.
Source: ICS-CERT