Researchers Mat Powell and Natnael Samson discovered several vulnerabilities in WECON’s PI Studio HMI software, a software widely used in critical manufacturing, energy, metallurgy, chemical, and water and wastewater sectors.
Both experts have reported the flaw under the Trend Micro’s Zero Day Initiative,
WECON specializes in human-machine interfaces (HMIs), programmable logic controllers (PLCs), and industrial PCs. The company’s products are used all around the world, particularly in the critical manufacturing, energy, and water and wastewater sectors.
The list of flaws discovered by the experts includes a critical stack-based buffer overflow vulnerability, tracked as CVE-2018-14818, that could lead to remote code execution.
Another flaw tracked as CVE-2018-14810 is a high severity out-of-bounds write bug which may allow code to be executed in the context of an administrator,
“Successful exploitation of these vulnerabilities may allow remote code execution, execution of code in the context of an administrator, read past the end of an allocated object or allow an attacker to disclose sensitive information under the context of administrator.” reads the security advisory published by the ICS-CERT.
WECON has confirmed the vulnerabilities, but it has not revealed when it will release security patches.
Below the list of mitigation provided by the ICS-CERT:
“WECON has verified the vulnerabilities but has not yet released an updated version.” continues the security advisory.
“NCCIC recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:
(Security Affairs – WECON, SCADA)
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.