A security researcher has uncovered a critical vulnerability in a popular SCADA software used in China, as well as in a few others, which raises the possibility of another Stuxnet attack.
A critical security flaw in
supervisory-control-and-data-acquisition (SCADA) systems used in China raises
the possibility of another Stuxnet-like attack, a security researcher said.
The latest stable version of KingView, the SCADA software
developed by Beijing WellinControl Technology Development, contains a critical
heap overflow vulnerability, wrote Dillon
, a security researcher at NSS Labs, on his personal blog.
KingView is used to visualize process data in industrial control systems and
has been used throughout Chinese industry, including the aerospace and national
"This is not any old software," Beresford warned, noting
that the vulnerability affected one of the "most widely trusted and used" SCADA
software systems in China.
SCADA systems are used to operate critical equipment at industrial
facilities, factories, power plants, and oil and gas refineries.
While poking around the Chinese SCADA software, Beresford
found a heap overflow vulnerability in a software module that listens for and
processes incoming log events from the human machine interface module. The
vulnerability allows remote attackers to take full control of the Windows
system running the flawed software, Beresford said.
While heap overflows typically require more technical
expertise to discover and exploit than stack overflows
, this particular flaw
could be discovered by someone with only an "intermediate" amount of skill, he
That is very worrying as Stuxnet, the Trojan that
compromised various SCADA systems around the world last year and crippled
Iran's nuclear program
, had been created by "a lot of people with very
specialized skills and knowledge," said Randy Abrams, director of technical
education at ESET.
Exploiting this vulnerability would not pose much difficulty
for these kinds of developers.
Stuxnet was "definitely going after" SCADA systems, Abrams
said, but it is not clear whether Iran was the ultimate target. It's also not
clear whether the "authors accomplished their objective," Abrams said.
Many Chinese industrial installations were hit hard by Stuxnet.
With more vulnerabilities being exposed in SCADA software from Chinese
companies, the specter of a modified Stuxnet, or a brand-new Trojan with
Stuxnet capabilities, becomes more real.
Beresford published exploit code that takes advantage of the
vulnerability to execute arbitrary code, after he got no response from
WellinTech or CN-CERT, China's National Computer Emergency Response Team, after
he contacted them with his discovery in September.
"I'm not sure what's worse, a 0-day for the most
popular SCADA software in China floating around in the wild," or the lack of
response from CN-CERT, he wrote on his blog. He turned to the United States
counterpart, US-CERT, for help, but the Chinese still didn't respond.
He'd hoped WellinTech would rollout a fix or a new version
with the flaw patched quietly, but after months of no response, he decided to
publicize the flaw to force the company's hand. The Python code triggers a heap
overflow and uses infected shell code to open a cell on port 4444. The code was
released as a module for the Metasploit penetration testing framework and in
"Hopefully this will be an incentive to issue a patch to all
of Wellintech's customers," he wrote.
Beresford told ThreatPost
that he'd found several other vulnerabilities in
other SCADA software packages from other Chinese vendors, and that he was in
the midst of contacting the companies and CN-CERT to prepare patches for those
holes, as well.