CVE-2021-23157 – This vulnerability allows remote attackers to e... (How to Fix)

Q: What is the severity of CVE-2021-23157?

CVE-2021-23157 has a CVSS score of 7.8 (HIGH). This vulnerability allows remote attackers to execute arbitrary code on affected WECON LeviStudioU systems by exploiting a heap-based buffer overflow. Attackers could gain full control of the system, potentially leading to data theft, system disruption, or lateral movement within industrial control networks. Organizations using WECON LeviStudioU versions 2019-09-21 and earlier for industrial automation are affected.

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary code on affected WECON LeviStudioU systems by exploiting a heap-based buffer overflow. Attackers could gain full control of the system, potentially leading to data theft, system disruption, or lateral movement within industrial control networks. Organizations using WECON LeviStudioU versions 2019-09-21 and earlier for industrial automation are affected.

💻 Affected Systems

Products:

WECON LeviStudioU

Versions: Versions 2019-09-21 and earlier

Operating Systems: Windows (based on typical industrial control software deployment)

Default Config Vulnerable: ⚠️ Yes

Notes: This is industrial control software used for HMI/SCADA systems, typically deployed in manufacturing and critical infrastructure environments.

📦 What is this software?

Levistudiou by We Con

View all CVEs affecting Levistudiou →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing attackers to execute arbitrary code, steal sensitive industrial control data, disrupt manufacturing processes, and pivot to other critical infrastructure systems.

🟠

Likely Case

Remote code execution leading to data exfiltration, ransomware deployment, or disruption of industrial control operations.

🟢

If Mitigated

Limited impact with proper network segmentation and access controls, potentially only affecting isolated systems without critical data.

🌐 Internet-Facing: HIGH - The vulnerability can be exploited remotely without authentication, making internet-facing systems particularly vulnerable to widespread attacks.

🏢 Internal Only: HIGH - Even internally, the vulnerability allows unauthenticated remote code execution, posing significant risk to industrial control networks.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Multiple advisories from ZDI and CISA indicate detailed technical information is available, making exploitation feasible for skilled attackers.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions after 2019-09-21

Vendor Advisory: https://www.cisa.gov/uscert/ics/advisories/icsa-21-355-03

Restart Required: Yes

Instructions:

1. Contact WECON for updated software version. 2. Backup current configuration. 3. Install updated LeviStudioU version. 4. Restart affected systems. 5. Verify functionality.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate LeviStudioU systems from untrusted networks and internet access

Access Control Restrictions

all

Implement strict firewall rules to limit access to LeviStudioU systems

🧯 If You Can't Patch

Implement strict network segmentation to isolate affected systems from production networks
Deploy intrusion detection systems to monitor for exploitation attempts and anomalous behavior

🔍 How to Verify

Check if Vulnerable:

Check LeviStudioU version in Help > About menu. If version is 2019-09-21 or earlier, system is vulnerable.

Check Version:

Check via LeviStudioU GUI: Help > About menu

Verify Fix Applied:

Verify version is updated beyond 2019-09-21 and test functionality with non-critical operations.

📡 Detection & Monitoring

Log Indicators:

Unusual process creation from LeviStudioU
Memory access violations
Network connections to LeviStudioU from unexpected sources

Network Indicators:

Unusual traffic patterns to LeviStudioU ports
Malformed packets targeting LeviStudioU services

SIEM Query:

source="LeviStudioU" AND (event_type="process_creation" OR event_type="memory_violation")

📊 Metadata

CVE ID: CVE-2021-23157

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-122

Published: January 14, 2022

Last Updated: November 21, 2024

🔗 References

https://www.cisa.gov/uscert/ics/advisories/icsa-21-355-03 Third Party Advisory,US Government Resource
https://www.zerodayinitiative.com/advisories/ZDI-22-130/ Third Party Advisory,VDB Entry
https://www.zerodayinitiative.com/advisories/ZDI-22-132/ Third Party Advisory,VDB Entry
https://www.cisa.gov/uscert/ics/advisories/icsa-21-355-03 Third Party Advisory,US Government Resource
https://www.zerodayinitiative.com/advisories/ZDI-22-130/ Third Party Advisory,VDB Entry
https://www.zerodayinitiative.com/advisories/ZDI-22-132/ Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-23157, you might also want to check these: