WECON PI Studio HMI software affected by code execution flaws
9.10.18 securityaffairs
ICS  Vulnerebility

Security experts discovered several vulnerabilities in WECON’s PI Studio HMI software, the company has verified the issues but has not yet released patches.
Researchers Mat Powell and Natnael Samson discovered several vulnerabilities in WECON’s PI Studio HMI software, a software widely used in critical manufacturing, energy, metallurgy, chemical, and water and wastewater sectors.

Both experts have reported the flaw under the Trend Micro’s Zero Day Initiative,

WECON specializes in human-machine interfaces (HMIs), programmable logic controllers (PLCs), and industrial PCs. The company’s products are used all around the world, particularly in the critical manufacturing, energy, and water and wastewater sectors.

The list of flaws discovered by the experts includes a critical stack-based buffer overflow vulnerability, tracked as CVE-18-14818, that could lead to remote code execution.

Another flaw tracked as CVE-18-14810 is a high severity out-of-bounds write bug which may allow code to be executed in the context of an administrator,

The remaining issues are two medium severity information disclosure flaws tracked as CVE-18-17889 and CVE-18-14814.

“Successful exploitation of these vulnerabilities may allow remote code execution, execution of code in the context of an administrator, read past the end of an allocated object or allow an attacker to disclose sensitive information under the context of administrator.” reads the security advisory published by the ICS-CERT.

WECON has confirmed the vulnerabilities, but it has not revealed when it will release security patches.

WECON PI Studio 2

Below the list of mitigation provided by the ICS-CERT:

“WECON has verified the vulnerabilities but has not yet released an updated version.” continues the security advisory.

“NCCIC recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:

Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
Locate control system networks and remote devices behind firewalls, and isolate them from the business network.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.”