14 DAY TRIAL // Faced with no response from the vendor for months, a security researcher published exploit code for a critical vulnerability in a widespread Chinese SCADA software package.
The affected software is called KingView and is developed by Beijing WellinControl Technology Development Co., Ltd., commonly referred to as WellinTech.
According to Dillon Beresford, a security researcher at NSS Labs, the latest stable version of the software (6.53) distributed from the vendor's site, contains a heap overflow vulnerability that can be exploited to execute arbitrary code.
The researcher claims he attempted to make contact via email with WellinTech, as well as with CN-CERT, China's National Computer Emergency Response Team, on September 28, 2010, but received no reply.
"While I found it extremely disappointing that Wellintech never responded to my disclosure, I was far more bothered with the fact that CN-CERT never responded. What are they doing over there?" the researcher writes.
Supervisory control and data acquisition (SCADA) systems are involved in the operation of critical equipment at industrial facilities, factories, power plants, oil and gas refineries and so on.
Therefore, a critical vulnerability in one of the most popular SCADA software packages in China should be treated very seriously.
Even more so since many Chinese industrial installations were hit hard by the notorious Stuxnet industrial espionage worm that also targets SCADA systems.
Faced with not response, the researcher tried to co-ordinate the disclosure through US-CERT, but they didn't manage to reach their Chinese counterparts or the vendor either.
"Moreover, after waiting several months to see if Wellintech would quietly issue a patch to fix the security vulnerability they didn't. I made a decision to develop a working exploit with code execution to prove that this wasn't just another software bug'," Beresford notes.
The exploit code was released as a module for the Metasploit penetration testing framework and in stand-alone form on exploit-db. The researcher hopes that following the disclosure, the vendor will be alerted through other channels and will address the flaw quickly.