A hacker could exploit this vulnerability, identified by independent researcher Paul Davis, to carry out an arbitrary code execution or program crash, according to the advisory issued by the DHS Industrial Control Systems Cyber Emergency Response Team.
Sielco Sistemi is an Italian company that makes supervisory control and data acquisition/human-machine interface (SCADA/HMI) software and hardware products.
Affected products include Winlog Lite and Winlog PRO versions older than Version 2.07.09. Winlog Lite is a demo version of the Winlog PRO SCADA/HMI system. According to Sielco Sistemi, Winlog PRO is deployed across several sectors including manufacturing, public utilities, and telecommunications.
“In the affected versions, Winlog does not properly sanitize the inputs from project files. Invalid information in certain fields can overwrite memory locations, which causes the program to crash and could be used to execute arbitrary code….The exploit is only triggered when a local user runs the vulnerable application and loads the malformed file”, the advisory explained.
Sielco Sistemi has produced a new release that mitigates the vulnerability, which Davis has validated as resolving the issue. The company advises users to download the new Winlog release from its website at www.sielcosistemi.com.