A notable number of flaws have been revealed lately in products from China-based WECON, however the company has been slow to announce fixes. WECON diversifies in Human-Machine Interfaces, Programmable Logic Controllers, and Industrial PCs. The firm’s products are utilized across the globe, specifically in the serious manufacturing, water, energy, and wastewater aspects.
Recently, ICS-CERT publishted a consultative and reveals that analysts Natnael Samson and Mat Powell detected various flaws in WECON’s PI Studio HMI software. The list contains a serious stack based buffer running over that permits distant code implementation, a high intensity out-of-bounds mention flaw that also lets code implementation, and two medium severeness details revelation bugs.
According to ICS-CERT, WECON has sustained the flaws, however it has so far to announce any fixes. ICS-CERT has published four consultatives mentioning flaws in WECON products current year, containing a medium intensity bug in the firm’s PLC Editor ladder logic software, and various medium and high severeness flaws in LeviStudio applications.
Each of the flaws for which ICS-CERT has announced consultatives were documented by Samson, Powell and some more analysts through Zero Day Initiative of Trend Micro. As a matter of fact, Zero Day Initiative has already published 116 consultatives in 2018 and over a dozen will be released in the forthcoming duration. But, it’s worth recording that Zero Day Initiative typically releases numerous consultatives for a individual CVE as each consultative contains a alteration of the similar flaw.
From another point of view, many of the ICS-CERT consultatives and a large number of the consultatives from Zero Day Initiative were announced before fixes were made acquirable by the company. A large number of the security flaws permit distant code implementation, however since they are associated to how the overdone applications manage specific file kinds, the hacker would require to persuade the marked user to open a particularly crafted file so as to activate the exploit.