The specific warning concerns KingView 6.53, a supervisory control and data acquisition (SCADA) application used throughout China. The software has a process heap overflow bug that an attacker could exploit to execute arbitrary code and take full control of the targeted system, said Dillon Beresford, a security researcher at NSS Labs, who detailed the vulnerability on his personal blog.
"This is not any old software," he said. "The vulnerability affects one of the most widely trusted and used supervisory control and data acquisition applications in China." Indeed, the KingView data visualization software is reportedly used throughout China's defense, aerospace, energy, and manufacturing sectors.
Beresford said he notified both the software vendor, Wellintech, and CN-CERT, China's computer emergency response team, about the vulnerability. Neither responded, and the vulnerable software remains available for download via Wellintech's Web site.
So on Sunday, he publicly released details about the vulnerability. "After waiting several months to see if Wellintech would quietly issue a patch to fix the security vulnerability, they didn't," he said. "My initial disclosure to the vendor contained enough pertinent information and the proof of concept code to trigger the bug and overwrite pointers in memory, thus allowing arbitrary code execution." Beresford also released his proof-of-concept attack code -- a TCP bind shell developed using the Metasploit Framework -- in standalone form and via the Exploit Database. The proof of concept only works against systems running Windows XP SP1. Even so, the clock is ticking to see what will happen first -- Wellintech patches its software, or zero-day attacks surface that exploit the vulnerability.
Of course, the KingView vulnerability raises the possibility that a Stuxnet-like Trojan application could be developed to exploit Chinese control environments. Stuxnet, notably, was apparently developed to disable Iranian nuclear enrichment facilities. Security experts suspect that the exploit's development team likely had government backing as well as a complete copy of the targeted production environment.
Chinese organizations rely heavily on homegrown SCADA software, and Beresford told Threatpost that he's also discovered bugs in other Chinese SCADA software, which he studies in his spare time. He said he's attempting to contact the vendors of the other affected products.