Chinese company patches for widely used SCADA software

A Chinese company has released a patch for a serious vulnerability in industrial control software widely used in the country in industries such as national defense, months after it was first notified of the issue.

Dillon Beresford, who works for the security testing company NSS Labs, publicly released the information on Sunday after he received no response from Beijing-based WellinTech or China’s Computer Security Emergency Response Team after sending notification in September.

Beresford found the problem while analyzing WellinTech’s Kingview 6.53 software, one of the company’s flagship products. The software produces a colorful graphical interface and is used to manage industrial control systems, also known as SCADA (supervisory control and data acquisition) systems.

On its website, WellinTech says the software is mostly used in China across industries including power, water, coal mines, environmental protection and metallurgy.

The vulnerability is classified as a heap overflow, where a problem in memory can allow an attacker to execute arbitrary code. Beresford wrote on his blog that he notified both the company and China’s Computer Emergency Response Team to no avail..

“My initial disclosure to the vendor contained enough pertinent information and the proof-of-concept code to trigger the bug and overwrite pointers in memory thus allowing arbitrary code execution,” Beresford wrote.

He also contacted the U.S. CERT, which also said they would attempt to get in contact with WellinTech.

Beresford then decided to make information on the vulnerability and a working proof-of-concept exploit public, also publishing it on the Exploit Database website. The exploit has also been incorporated into the Metasploit penetration testing framework.

The exploit has been tested on the Kingview 6.53 software running on Microsoft Windows XP SP1, but also works on SP2 and SP3 according to the published information.

Beresford wrote on Tuesday that WellinTech had released a patch. The company had also apparently acknowledged the vulnerability on Dec. 10, but only on the Chinese language version of their website and not in English.

The patch also lacked what are considered to be standard notes and guidance for administrators, Beresford wrote. “This is obviously not what most in the software industry would consider best practices,” he wrote in in an update on his blog.

Attempts to contact WellinTech, which is based in Beijing, by e-mail and phone were unsuccessful Thursday.

SCADA systems have come under greater analysis since researchers discovered a sophisticated piece of malware named Stuxnet, which targeted a Siemens industrial control system. Iran admitted that the malware had impacted some of its systems.

Other researchers who studied Stuxnet found that it was likely written by a team of programmers. Some have theorized that Stuxnet was designed to disrupt Iran’s nuclear program by fiddling with high-speed electrical motors used in gas centrifuges in uranium refinement.