China Alert: Hole in SCADA Software

Wednesday, January 19, 2011 @ 05:01 PM gHale

Wellintech, the Chinese software provider that publishes KingView, a very popular supervisory control and data acquisition (SCADA) program in China, issued a patch for a vulnerability that could affect a plant’s production processes.

CN-CERT said did not full pay attention when initially notified of the vulnerability by the developer and US-CERT. It was not until November that a further email from US-CERT alerted it to the presence of the vulnerability and led it to rediscover the earlier emails sent in September.

In November, CN-CERT informed the vendor Wellintech, which said it released a patch on Dec. 15 — without, however, informing CN-CERT of the fact and apparently without updating the version available to download from its web site. A general bug report has now found its way into CN-CERT’s database and the vendor has released a patched library.

Dillon Beresford, who discovered the KingView vulnerabilities, said on his blog neither the vendor nor CN-CERT have provided any details of the vulnerability, thereby leaving customers in the dark over the risks it presents.

CN-CERT is now planning to review its procedures to ensure that it does not miss such emails in future.

KingView competes against some of the more popular and higher-priced SCADA software packages out there like Intellution and Wonderware. The software is more of a low-priced solution and is popular in China, particularly in factory automation.

The warning concerns KingView 6.53. The software has a process heap overflow bug an attacker could exploit to execute arbitrary code and take full control of the targeted system, said Beresford, a security researcher at NSS Labs who detailed the vulnerability on his blog.

This vulnerability affects one of the most widely trusted and used supervisory control and data acquisition applications in China, Beresford said. The KingView data visualization software sees use throughout China’s defense, aerospace, energy, and manufacturing sectors, according to reports.

Beresford said he notified the software vendor, Wellintech, and CN-CERT, China’s computer emergency response team, about the vulnerability. Neither responded, and the vulnerable software remains available for download via Wellintech’s Web site.

After hearing no word, he released details about the vulnerability.