Patch Ready for WellinTech Holes

Tuesday, July 3, 2012 @ 03:07 PM gHale


Patches are now available for the multiple vulnerabilities in WellinTech’s KingView and the single vulnerability in KingHistorian.

These vulnerabilities, found by independent researchers Carlos Mario Penagos Hollman and Dillon Beresford, are exploitable remotely.

RELATED STORIES
WAGO Mitigates Vulnerabilities
Wonderware Patches Unicode Hole
Wonderware SuiteLink Vulnerability
Sielco SCADA/HMI Vulnerability

The affected products and versions are the WellinTech KingView 6.53 and the WellinTech KingHistorian 3.0.

Successful exploitation of these vulnerabilities could lead to arbitrary code execution, information disclosure, and denial of service (DoS).

Beijing, China-based WellinTech is a software development company specializing in automation and control. WellinTech also has offices in the United States, Japan, Singapore, Europe, and Taiwan.

The KingView product is a Windows-based control, monitoring, and data collection application deployed across several industries, including power, water, building automation, mining, and other sectors. The KingHistorian product is a database that can be a stand-alone historian, which goes across several industries including water and power and other sectors.

For the KingView line if an attacker sends a specially crafted packet to Port 555/TCP, he could create a stack-based buffer overflow. This attack may allow the execution of arbitrary code. CVE-2012-1830 is the number assigned to this vulnerability, which has a CVSS v2 base score of 10.

Also, by sending a specially crafted packet to Port 555/TCP, an attacker may create a heap-based buffer overflow in the KingView application. This attack may allow the execution of arbitrary code. CVE-2012-1831 is the number assigned to this vulnerability, which has a CVSS v2 base score of 10.

By sending a specially crafted packet to either Port 2001/TCP or Port 2001/UDP, an attacker may read from an invalid memory location in the KingView application. This attack may allow the execution of arbitrary code. CVE-2012-1832 is the number assigned to this vulnerability, which has a CVSS v2 base score of 10.

By sending a specially crafted GET request via HTTP on Port 8001/TCP, an attacker may access arbitrary information from the KingView application. CVE-2012-2560 is the number assigned to this vulnerability, which has a CVSS v2 base score of 5.

In the KingHistorian, if an attacker sends a specially crafted packet to Port 5678/TCP, he may create an invalid pointer write in the KingHistorian application. This attack may allow the execution of arbitrary code. CVE-2012-2559 is the number assigned to this vulnerability, which has a CVSS v2 base score of 10.

An attacker requires a moderate skill level to exploit these vulnerabilities, of which there are no known mitigations.

WellinTech has developed patches to resolve these issues. Click here for the WellinTech advisory and the KingView product patch.

Click here for the WellinTech advisory and the KingHistorian product patch.



Leave a Reply

You must be logged in to post a comment.