Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

China Industrial Control Software Vulnerable To Trojan Attack

Bug could allow an attacker to take control of a widely used Chinese SCADA system by using a Stuxnet-type exploit.

Top 15 Data Visualization Tips
(click image for larger view)
Slideshow: Top 15 Data Visualization Tips
Widely used Chinese control system software is at risk from a serious vulnerability that attackers could exploit to compromise industrial control environments.

The specific warning concerns KingView 6.53, a supervisory control and data acquisition (SCADA) application used throughout China. The software has a process heap overflow bug that an attacker could exploit to execute arbitrary code and take full control of the targeted system, said Dillon Beresford, a security researcher at NSS Labs, who detailed the vulnerability on his personal blog.

"This is not any old software," he said. "The vulnerability affects one of the most widely trusted and used supervisory control and data acquisition applications in China." Indeed, the KingView data visualization software is reportedly used throughout China's defense, aerospace, energy, and manufacturing sectors.

Beresford said he notified both the software vendor, Wellintech, and CN-CERT, China's computer emergency response team, about the vulnerability. Neither responded, and the vulnerable software remains available for download via Wellintech's Web site.

So on Sunday, he publicly released details about the vulnerability. "After waiting several months to see if Wellintech would quietly issue a patch to fix the security vulnerability, they didn't," he said. "My initial disclosure to the vendor contained enough pertinent information and the proof of concept code to trigger the bug and overwrite pointers in memory, thus allowing arbitrary code execution." Beresford also released his proof-of-concept attack code -- a TCP bind shell developed using the Metasploit Framework -- in standalone form and via the Exploit Database. The proof of concept only works against systems running Windows XP SP1. Even so, the clock is ticking to see what will happen first -- Wellintech patches its software, or zero-day attacks surface that exploit the vulnerability.

Of course, the KingView vulnerability raises the possibility that a Stuxnet-like Trojan application could be developed to exploit Chinese control environments. Stuxnet, notably, was apparently developed to disable Iranian nuclear enrichment facilities. Security experts suspect that the exploit's development team likely had government backing as well as a complete copy of the targeted production environment.

Chinese organizations rely heavily on homegrown SCADA software, and Beresford told Threatpost that he's also discovered bugs in other Chinese SCADA software, which he studies in his spare time. He said he's attempting to contact the vendors of the other affected products.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 5/28/2020
Stay-at-Home Orders Coincide With Massive DNS Surge
Robert Lemos, Contributing Writer,  5/27/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Can you smell me now?
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-05-29
There is an Incorrect Authorization vulnerability in Micro Focus Service Management Automation (SMA) product affecting version 2018.05 to 2020.02. The vulnerability could be exploited to provide unauthorized access to the Container Deployment Foundation.
PUBLISHED: 2020-05-29
A Denial of Service vulnerability in MuleSoft Mule CE/EE 3.8.x, 3.9.x, and 4.x released before April 7, 2020, could allow remote attackers to submit data which can lead to resource exhaustion.
PUBLISHED: 2020-05-29
All versions of snyk-broker before 4.72.2 are vulnerable to Arbitrary File Read. It allows arbitrary file reads for users who have access to Snyk's internal network by appending the URL with a fragment identifier and a whitelisted path e.g. `#package.json`
PUBLISHED: 2020-05-29
All versions of snyk-broker after 4.72.0 including and before 4.73.1 are vulnerable to Arbitrary File Read. It allows arbitrary file reads to users with access to Snyk's internal network of any files ending in the following extensions: yaml, yml or json.
PUBLISHED: 2020-05-29
All versions of snyk-broker before 4.73.1 are vulnerable to Information Exposure. It logs private keys if logging level is set to DEBUG.