10 October 2018
Multiple vulnerabilities in Wecon PI Studio
Multiple vulnerabilities, two of which are critical, have been identified in PI Studio, an HMI solution by WECON Technology. Successful exploitation of these vulnerabilities could allow remote code execution or disclosure of sensitive information, including in the context of an administrator. The issue affects PI Studio HMI (versions 4.1.9 and prior) and PI Studio (versions 4.2.34 and prior).
The most severe of the vulnerabilities are stack-based buffer overflow (CVE-2018-14818) and out-of-bounds write (CVE-2018-14810). These vulnerabilities have been assigned CVSS v.3 base scores of 9.8 and 8.8, respectively. Both could allow remote code execution. In the case of CVE-2018-14810, code could be executed in the context of an administrator.
One more security flaw (CVE-2018-17889) is due to WECON PI Studio incorporating an XML parser that is vulnerable to XXE (XML eXternal Entity) attacks. This could allow attackers to gain access to sensitive information.
In addition, PI Studio lacks proper validation of user-supplied data, which could result in a read past the end of an allocated object (CVE-2018-14814).
The vendor is currently working on fixes for the above vulnerabilities.
Threats to ICS and industrial enterprises in 2022 as they are foreseen from November 2021
23 November 2021
Good old buffer overflow
31 March 2021
Network Asset Traversal or NATural disaster: NAT Slipstreaming 2.0
30 March 2021