WECON LeviStudio Buffer Overflow Vulnerabilities

Monitor5.3ICS-CERT ICSA-16-189-01Apr 10, 2016

Attack VectorLocal

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

WECON LeviStudio contains multiple buffer overflow vulnerabilities (CWE-121, CWE-122) in all versions. The vulnerability allows local code execution if a user opens a specially crafted file in the application. An attacker could exploit this to run arbitrary code on the engineering workstation with the privileges of the user running LeviStudio.

What this means

What could happen

An attacker could exploit a buffer overflow in LeviStudio to execute arbitrary code on the engineering workstation running the software, potentially allowing modification of control logic before deployment to programmable logic controllers (PLCs) or other field devices.

Who's at risk

Engineering teams at utilities and industrial facilities that use WECON LeviStudio for PLC and industrial automation programming should be concerned. This affects anyone developing and deploying control logic for water treatment, power distribution, manufacturing processes, or other critical operations.

How it could be exploited

An attacker would need to craft a malicious input file (project file, configuration file, or other data that LeviStudio parses) that triggers a buffer overflow when opened by an engineer. This could be delivered via email or a compromised file share. When the engineer opens the file in LeviStudio, the overflow executes attacker-supplied code with the privileges of the engineering workstation.

Prerequisites

User interaction required - engineer must open a malicious file in LeviStudio
Local code execution only (attacker cannot exploit remotely unless they first compromise a network share or email)
Access to social engineering or file delivery mechanism

No patch availableLow complexity attackUser interaction requiredAffects engineering workstations (supply chain risk)

Exploitability

Moderate exploit probability (EPSS 8.3%)

Affected products (1)

ProductAffected VersionsFix Status

LeviStudio: vers:all/*All versionsNo fix (EOL)

Remediation & Mitigation

0/5

Do now

0/2

HARDENINGImplement and enforce email and file transfer controls on engineering workstations to block or quarantine suspicious files

WORKAROUNDTrain engineering staff to avoid opening files from untrusted sources and validate file sources before opening in LeviStudio

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HARDENINGEnable application whitelisting on LeviStudio workstations to prevent unauthorized code execution

Mitigations - no patch available

0/2

LeviStudio: vers:all/* has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGRestrict access to LeviStudio workstations to authorized engineering personnel only; implement role-based access controls

HARDENINGMaintain LeviStudio workstations on an isolated engineering network segment with limited external connectivity

CVEs (2)

CVE-2016-5781 CVE-2016-4533

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/3a833987-17a2-41ea-a6a3-8c8e0a4f3383