CVE-2018-18994 – LAquis SCADA LQS File Parsing Out-Of-Bounds Read Remote Code Execution Vulnerability

https://notcve.org/view.php?id=CVE-2018-18994

LCDS Laquis SCADA prior to version 4.1.0.4150 allows an out of bounds read when opening a specially crafted project file, which may cause a system crash or allow data exfiltration. LCDS Laquis SCADA, en versiones anteriores a la 4.1.0.4150, permite una lectura fuera de límites al abrir un archivo de proyecto especialmente manipulado, lo que podría provocar un cierre inesperado del sistema o permitir la exfiltración de datos. This vulnerability allows remote attackers to execute arbitrary code User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of LQS files. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the process. • https://ics-cert.us-cert.gov/advisories/ICSA-19-015-01 • CWE-125: Out-of-bounds Read •