| VULNERABILITY DETAILS |
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of WECON LeviStudio. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
The specific flaw exists in the handling of LeviStudio Project files. By providing an overly long String Content XML attribute, an attacker can overflow a heap-based buffer and execute arbitrary code in the context of the current process.
|
| ADDITIONAL DETAILS |
This vulnerability is being disclosed publicly without a patch in accordance with the ZDI 120 day deadline.
12/07/2015 - ZDI disclosed multiple reports for this vendor to ICS-CERT
12/08/2015 - ICS-CERT acknowledged the reports and provided a single tracking number for all
02/15/2016 - ICS-CERT sent ZDI notification of vendor acknowledgement (on 1/20/2015)
03/01/2016 - ICS-CERT asked about ZDI's 'maturation policy,' in effect, 'would ZDI extend these out to 120-days from vendor acknowledgement?"
03/01/2016 - As ZDI's policy is based on the disclosure date to the vendor, ZDI replied, "they can be extended 60 days to 180 total days... early June."
03/25/2016 - ICS-CERT communicated that the vendor was working on the issue and another requestion from the vendor for extension
03/28/2016 - ZDI replied that June was the maximum allowable extension
04/18/2016 - The vendor, through ICS-CERT, requested ZDI feedback on proposed fix
04/28/2016 - The ZDI replied in the negative, that ZDI did not believe the proposed was a 'fix'
05/31/2016 - ZDI requested an update
06/22/2016 - ZDI notified ICS-CERT of the intention to disclose the reports as 0-day on 6/29/2016
06/27/2016 - ICS-CERT replied with an acknowledgement
-- Mitigation:
Given the stated purpose of WECON LeviStudio, and the nature of the vulnerability, the only salient mitigation strategy is to restrict interaction with the application to trusted files.
|
