Details of VAR-201810-0394

ID

VAR-201810-0394

CVE

CVE-2018-14810

TITLE

(0Day) WECON PIStudio HSC File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability

Trust: 2.1

sources: ZDI: ZDI-19-1032 // ZDI: ZDI-19-450 // ZDI: ZDI-19-449

DESCRIPTION

WECON Technology Co., Ltd. PI Studio HMI versions 4.1.9 and prior and PI Studio versions 4.2.34 and prior parse files and pass invalidated user data to an unsafe method call, which may allow code to be executed in the context of an administrator. PI Studio HMI and PI Studio Contains an out-of-bounds vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Wecon PIStudio. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the parsing of hsc files. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated object. An attacker can leverage this vulnerability to execute code under the context of an administrator. Wecon PIStudio is an HMI software. Wecon PI Studio HMI and PI Studio are human interface programming software from Wecon Technologies. A buffer overflow vulnerability exists in Wecon PI Studio HMI 4.1.9 and earlier and PI Studio 4.2.34 and earlier. WECON PIStudio is prone to a remote code-execution vulnerability. Failed exploit attempts will likely cause denial-of-service conditions

Trust: 6.12

sources: NVD: CVE-2018-14810 // JVNDB: JVNDB-2018-010754 // ZDI: ZDI-19-1032 // ZDI: ZDI-19-450 // ZDI: ZDI-19-449 // ZDI: ZDI-18-1107 // CNVD: CNVD-2019-42805 // CNVD: CNVD-2018-21173 // BID: 108503 // BID: 105710 // IVD: e2fdde6e-39ab-11e9-ab9a-000c29342cb1 // IVD: bc269758-613b-47a7-ba82-c07f15095edc

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 1.6

sources: IVD: e2fdde6e-39ab-11e9-ab9a-000c29342cb1 // IVD: bc269758-613b-47a7-ba82-c07f15095edc // CNVD: CNVD-2019-42805 // CNVD: CNVD-2018-21173

AFFECTED PRODUCTS

vendor:	wecon	model:	pistudio	scope:	-	version:	-	Trust: 3.4
vendor:	we con	model:	pi studio hmi	scope:	lte	version:	4.1.9	Trust: 1.0
vendor:	we con	model:	pi studio	scope:	lte	version:	4.2.34	Trust: 1.0
vendor:	wecon	model:	pi studio	scope:	lte	version:	4.2.34	Trust: 0.8
vendor:	wecon	model:	pi studio hmi	scope:	lte	version:	4.1.9	Trust: 0.8
vendor:	wecon	model:	pi studio hmi	scope:	lte	version:	<=4.1.9	Trust: 0.6
vendor:	wecon	model:	pi studio	scope:	lte	version:	<=4.2.34	Trust: 0.6
vendor:	we con	model:	pi studio hmi	scope:	eq	version:	4.1.9	Trust: 0.6
vendor:	we con	model:	pi studio	scope:	eq	version:	4.2.34	Trust: 0.6
vendor:	wecon	model:	pi studio	scope:	eq	version:	0	Trust: 0.3
vendor:	wecon	model:	pi studio hmi project programmer	scope:	eq	version:	4.1.9	Trust: 0.3
vendor:	wecon	model:	pi studio	scope:	eq	version:	4.2.34	Trust: 0.3
vendor:	pi studio	model:	-	scope:	eq	version:	*	Trust: 0.2
vendor:	pi studio hmi	model:	-	scope:	eq	version:	*	Trust: 0.2
vendor:	wecon	model:	pistudio	scope:	eq	version:	*	Trust: 0.2

sources: IVD: e2fdde6e-39ab-11e9-ab9a-000c29342cb1 // IVD: bc269758-613b-47a7-ba82-c07f15095edc // ZDI: ZDI-19-1032 // ZDI: ZDI-19-450 // ZDI: ZDI-19-449 // ZDI: ZDI-18-1107 // CNVD: CNVD-2019-42805 // CNVD: CNVD-2018-21173 // BID: 108503 // BID: 105710 // JVNDB: JVNDB-2018-010754 // CNNVD: CNNVD-201810-243 // NVD: CVE-2018-14810

CVSS

SEVERITY

CVSSV2

CVSSV3

ZDI:	CVE-2018-14810
value:	HIGH
Trust: 2.8
nvd@nist.gov:	CVE-2018-14810
value:	HIGH
Trust: 1.0
NVD:	CVE-2018-14810
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2019-42805
value:	HIGH
Trust: 0.6
CNVD:	CNVD-2018-21173
value:	HIGH
Trust: 0.6
CNNVD:	CNNVD-201810-243
value:	HIGH
Trust: 0.6
IVD:	e2fdde6e-39ab-11e9-ab9a-000c29342cb1
value:	HIGH
Trust: 0.2
IVD:	bc269758-613b-47a7-ba82-c07f15095edc
value:	HIGH
Trust: 0.2

nvd@nist.gov:	CVE-2018-14810
severity:	HIGH
baseScore:	9.3
vectorString:	AV:N/AC:M/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.6
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
ZDI:	CVE-2018-14810
severity:	HIGH
baseScore:	9.3
vectorString:	AV:N/AC:M/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.6
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2
Trust: 0.7
CNVD:	CNVD-2019-42805
severity:	HIGH
baseScore:	7.2
vectorString:	AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	3.9
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
CNVD:	CNVD-2018-21173
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
IVD:	e2fdde6e-39ab-11e9-ab9a-000c29342cb1
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.9 [IVD]
Trust: 0.2
IVD:	bc269758-613b-47a7-ba82-c07f15095edc
severity:	HIGH
baseScore:	7.2
vectorString:	AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	3.9
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.9 [IVD]
Trust: 0.2

nvd@nist.gov:	CVE-2018-14810
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.9
version:	3.0
Trust: 1.8
ZDI:	CVE-2018-14810
baseSeverity:	HIGH
baseScore:	7.8
vectorString:	AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	1.8
impactScore:	5.9
version:	3.0
Trust: 1.4
ZDI:	CVE-2018-14810
baseSeverity:	HIGH
baseScore:	8.4
vectorString:	AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.5
impactScore:	5.9
version:	3.0
Trust: 0.7

sources: IVD: e2fdde6e-39ab-11e9-ab9a-000c29342cb1 // IVD: bc269758-613b-47a7-ba82-c07f15095edc // ZDI: ZDI-19-1032 // ZDI: ZDI-19-450 // ZDI: ZDI-19-449 // ZDI: ZDI-18-1107 // CNVD: CNVD-2019-42805 // CNVD: CNVD-2018-21173 // JVNDB: JVNDB-2018-010754 // CNNVD: CNNVD-201810-243 // NVD: CVE-2018-14810

PROBLEMTYPE DATA

problemtype:

CWE-787

Trust: 1.8

sources: JVNDB: JVNDB-2018-010754 // NVD: CVE-2018-14810

THREAT TYPE

network

Trust: 0.6

sources: BID: 108503 // BID: 105710

TYPE

Buffer error

Trust: 0.8

sources: IVD: e2fdde6e-39ab-11e9-ab9a-000c29342cb1 // CNNVD: CNNVD-201810-243

CONFIGURATIONS

sources: JVNDB: JVNDB-2018-010754

PATCH

title:	This vulnerability is being disclosed publicly without a patch in accordance with ZDI policies.06/26/2019 - ZDI provided the vulnerability report to ICS-CERT07/02/2019 - ICS-CERT acknowledged the report and provided an ICS VU#11/19/2019 - ZDI requested any available update11/29/2019 - ZDI requested any available update12/05/2019 - ZDI requested any available update12/18/2019 - ZDI advised ICS-CERT of the intention to publish the report as 0-day on Dec 30 12/02/2021 - The vendor published an update Mitigation:Given the nature of the vulnerability the only salient mitigation strategy is to restrict interaction with the application.	url:	https://us-cert.cisa.gov/ics/advisories/ICSA-18-277-01--	Trust: 2.1
title:	Top Page	url:	http://www.we-con.com.cn/en/index.aspx	Trust: 0.8
title:	Wecon has issued an update to correct this vulnerability. This vulnerability is being disclosed publicly without a patch in accordance with the ZDI 120 day deadline.05/18/18 - ZDI sent the report to ICS-CERT05/22/18 - ICS-CERT acknowledged, confirmed the report was sent to the vendor and sent an ICS-VU #09/17/18 - ZDI asked ICS-CERT to confirm the report remains unpatched and to advise the vendor of the intent to publish the report as 0-day on 10/02/18-- Mitigation:Given the nature of the vulnerability the only salient mitigation strategy is to restrict interaction with the application to trusted files.	url:	https://us-cert.cisa.gov/ics/advisories/ICSA-18-277-01	Trust: 0.7

sources: ZDI: ZDI-19-1032 // ZDI: ZDI-19-450 // ZDI: ZDI-19-449 // ZDI: ZDI-18-1107 // JVNDB: JVNDB-2018-010754

EXTERNAL IDS

db:	NVD	id:	CVE-2018-14810	Trust: 6.3
db:	ICS CERT	id:	ICSA-18-277-01	Trust: 3.3
db:	ZDI	id:	ZDI-19-450	Trust: 1.6
db:	ZDI	id:	ZDI-19-449	Trust: 1.0
db:	CNVD	id:	CNVD-2018-21173	Trust: 0.8
db:	CNNVD	id:	CNNVD-201810-243	Trust: 0.8
db:	CNVD	id:	CNVD-2019-42805	Trust: 0.8
db:	JVNDB	id:	JVNDB-2018-010754	Trust: 0.8
db:	ZDI_CAN	id:	ZDI-CAN-8927	Trust: 0.7
db:	ZDI	id:	ZDI-19-1032	Trust: 0.7
db:	ZDI_CAN	id:	ZDI-CAN-7641	Trust: 0.7
db:	ZDI_CAN	id:	ZDI-CAN-7635	Trust: 0.7
db:	ZDI_CAN	id:	ZDI-CAN-6244	Trust: 0.7
db:	ZDI	id:	ZDI-18-1107	Trust: 0.7
db:	BID	id:	108503	Trust: 0.3
db:	BID	id:	105710	Trust: 0.3
db:	IVD	id:	E2FDDE6E-39AB-11E9-AB9A-000C29342CB1	Trust: 0.2
db:	IVD	id:	BC269758-613B-47A7-BA82-C07F15095EDC	Trust: 0.2

REFERENCES

url:	https://ics-cert.us-cert.gov/advisories/icsa-18-277-01	Trust: 3.3
url:	https://us-cert.cisa.gov/ics/advisories/icsa-18-277-01--	Trust: 2.1
url:	https://www.zerodayinitiative.com/advisories/zdi-19-450/	Trust: 0.9
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-14810	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2018-14810	Trust: 0.8
url:	https://us-cert.cisa.gov/ics/advisories/icsa-18-277-01	Trust: 0.7
url:	http://www.we-con.com.cn/en	Trust: 0.3
url:	http://www.we-con.com.cn/en/download_45.html	Trust: 0.3
url:	https://www.zerodayinitiative.com/advisories/zdi-19-449/	Trust: 0.3
url:	http://www.we-con.com.cn/en/	Trust: 0.3

sources: ZDI: ZDI-19-1032 // ZDI: ZDI-19-450 // ZDI: ZDI-19-449 // ZDI: ZDI-18-1107 // CNVD: CNVD-2019-42805 // CNVD: CNVD-2018-21173 // BID: 108503 // BID: 105710 // JVNDB: JVNDB-2018-010754 // CNNVD: CNNVD-201810-243 // NVD: CVE-2018-14810

CREDITS

Mat Powell of Trend Micro Zero Day Initiative

Trust: 2.1

sources: ZDI: ZDI-19-1032 // ZDI: ZDI-19-450 // ZDI: ZDI-19-449

SOURCES

db:	IVD	id:	e2fdde6e-39ab-11e9-ab9a-000c29342cb1
db:	IVD	id:	bc269758-613b-47a7-ba82-c07f15095edc
db:	ZDI	id:	ZDI-19-1032
db:	ZDI	id:	ZDI-19-450
db:	ZDI	id:	ZDI-19-449
db:	ZDI	id:	ZDI-18-1107
db:	CNVD	id:	CNVD-2019-42805
db:	CNVD	id:	CNVD-2018-21173
db:	BID	id:	108503
db:	BID	id:	105710
db:	JVNDB	id:	JVNDB-2018-010754
db:	CNNVD	id:	CNNVD-201810-243
db:	NVD	id:	CVE-2018-14810

LAST UPDATE DATE

2024-11-23T22:12:19.328000+00:00

SOURCES UPDATE DATE

db:	ZDI	id:	ZDI-19-1032	date:	2021-12-03T00:00:00
db:	ZDI	id:	ZDI-19-450	date:	2021-12-03T00:00:00
db:	ZDI	id:	ZDI-19-449	date:	2021-12-03T00:00:00
db:	ZDI	id:	ZDI-18-1107	date:	2021-12-02T00:00:00
db:	CNVD	id:	CNVD-2019-42805	date:	2019-11-29T00:00:00
db:	CNVD	id:	CNVD-2018-21173	date:	2018-10-18T00:00:00
db:	BID	id:	108503	date:	2019-05-02T00:00:00
db:	BID	id:	105710	date:	2018-10-04T00:00:00
db:	JVNDB	id:	JVNDB-2018-010754	date:	2018-12-21T00:00:00
db:	CNNVD	id:	CNNVD-201810-243	date:	2019-10-17T00:00:00
db:	NVD	id:	CVE-2018-14810	date:	2024-11-21T03:49:50.663

SOURCES RELEASE DATE

db:	IVD	id:	e2fdde6e-39ab-11e9-ab9a-000c29342cb1	date:	2018-10-18T00:00:00
db:	IVD	id:	bc269758-613b-47a7-ba82-c07f15095edc	date:	2019-11-29T00:00:00
db:	ZDI	id:	ZDI-19-1032	date:	2019-12-30T00:00:00
db:	ZDI	id:	ZDI-19-450	date:	2019-05-02T00:00:00
db:	ZDI	id:	ZDI-19-449	date:	2019-05-02T00:00:00
db:	ZDI	id:	ZDI-18-1107	date:	2018-10-02T00:00:00
db:	CNVD	id:	CNVD-2019-42805	date:	2019-11-29T00:00:00
db:	CNVD	id:	CNVD-2018-21173	date:	2018-10-17T00:00:00
db:	BID	id:	108503	date:	2019-05-02T00:00:00
db:	BID	id:	105710	date:	2018-10-04T00:00:00
db:	JVNDB	id:	JVNDB-2018-010754	date:	2018-12-21T00:00:00
db:	CNNVD	id:	CNNVD-201810-243	date:	2018-10-09T00:00:00
db:	NVD	id:	CVE-2018-14810	date:	2018-10-08T12:29:00.283