The researcher who discovered a hole in a prominent SCADA software package used in China claims that holes in the country’s SCADA systems aren’t uncommon, and blames a lack of transparency for the vulnerabilities.
A security researcher at NSS Labs who disclosed a critical vulnerability in a popular SCADA (supervisory control and data acquisition) software package used in China said that he has discovered similar holes in other SCADA applications used in the country, and a lack of transparency within the country on matters related to computer security may make it difficult to get the vulnerabilities addressed.
Dillon Beresford told Threatpost that the hole he discovered in the KingView HMI (Human Machine Interface) software by Beijing-based firm Wellintech was just one of many others he has uncovered testing Chinese SCADA software in the lab, and that he plans to disclose those holes after working with the software makers and China’s CERT to prepare patches for the holes.
Beresford, a researcher at NSS labs, first disclosed the hole in the KingView software in a blog post on Sunday. He said that he has been poking around Chinese SCADA software in his free time. The KingView hole, which he described as a heap overflow vulnerability, exists in a software module that listens for and processes incoming log events from the HMI software, which is used to create visual representations of data flows between different machine components. The heap overflow vulnerability, which exists in versions of the KingSoft software running on most supported versions of Microsoft’s Windows operating system, would enable a remote attacker to take full control of a vulnerable system running the software.
He said that he discovered the heap overflow on a test system running in a controlled lab environment. Heap overflows typically require more technical expertise to discover and exploit than so-called “stack” overflows. However, the hole he discovered would require only an “intermediate” amount of skill to exploit and could be used to create an automated scan for vulnerable systems that are visible from the public Internet.
Beresford said that KingSoft is widely used in China, but that efforts to communicate with both the software maker and China’s Computer Emergency Response Team (CERT) were unsuccessful. The English language version of China’s CERT WEb page appears to be dormant – the last post was in January, 2007. However, the Chinese language version of the site is more up to date, but does not contain any mention of Beresford’s reported vulnerability.
He said that his work has uncovered similar holes in other SCADA packages at use in the country, which relies mostly on domestic SCADA software, rather than products created by Western firms. It was hard to explain the lack of response to his reports, and Beresford said he hopes that releasing data on the vulnerability prompts some action on the part of China CERT and Wellintech. He said a sample exploit, created using the Metasploit Framework and posted on Exploit-DB, is designed to work on KingView running on Windows XP SP1, but not newer versions of Windows.
The revelation may signal more attention to Chinese critical infrastructure in the wake of the Stuxnet worm outbreak. Beresford said that the country’s reliance on domestic software makers wasn’t a problem, so much as its non-transparency, which makes open communication about flaws difficult.