According to a report with NCCIC on August 13, two vulnerabilities were found in WECON LeviStudioU. They are stack-based buffer overflow vulnerability (CVE-2018-10602) and heap-based buffer overflow vulnerability (CVE-2018-10606).
NSFOCUS security team and Ghirmay Desta worked with Mat Powell of Trend Micro’s Zero Day Initiative to report these vulnerabilities to NCCIC.
Successful exploitation of these vulnerabilities could allow an attacker to execute remote code.
A CVSS v3 base score of 8.8 has been assigned to both of the vulnerabilities.
Reference: https://ics-cert.us-cert.gov/advisories/ICSA-18-212-03
Affected Versions
LeviStudioU version 1.8.29
LeviStudioU version 1.8.44
Mitigations
Updating to the latest version of LeviStudioU (1.8.56) may address some of the vulnerabilities.
http://www.we-con.com.cn/en/download.aspx?id=45
Visit http://www.we-con.com.cn/download.aspx?id=13 for more mitigation recommendations.
