03 August 2018

Critical vulnerabilities in WECON LeviStudioU

Critical vulnerabilities have been identified in WECON LeviStudioU. Successful exploitation of these vulnerabilities could allow an attacker to execute remote code.

LeviStudioU is used to develop HMI-solutions in energy, critical manufacturing, water and wastewater systems. The vulnerabilities affect the following versions: 1.8.29 and 1.8.44.

The problems are caused by the multiple stack-based (CVE-2018-10602) and heap-based (CVE-2018-10606) buffer overflow vulnerabilities. They can be exploited when the application processes specially crafted project files.

A CVSS v.3 base score of 8.8 has been calculated for each of the above vulnerabilities.

Updating to the latest version of LeviStudioU may address some of the vulnerabilities.

Source: ICS-CERT