WellinTech KingHistorian Vulnerability Exposes ICS


WellinTech KingHistorian, a time-series database used for industrial control system data analysis, is vulnerable to an integer conversion vulnerability.

This vulnerability can lead to a buffer overflow when the RecvPacket functionality of the SORBAx64.dll component of the system receives a specially crafted network packet.

The vulnerability has been identified as CVE-2022-43663 and has a CVSSV3 score of 8.1. It exists in the RecvPacket functionality of the SORBAx64.dll component of the WellinTech KingHistorian version 35.01.00.05 and can be triggered by an attacker who sends a malicious packet to the system.

WellinTech KingHistorian SORBAx64.dll vulnerability explained 

The vulnerability was discovered by Carl Hurd of Cisco Talos, who reported the issue to the vendor on 16th December 2022.

The vendor, WellinTech, disclosed the vulnerability on 22, December 2022 and released a patch to address the issue on 17 March 2023.

The vulnerability occurs due to an integer conversion issue in the RecvPacket functionality of SORBAx64.dll. The issue occurs when the size field is extracted from the received packet.

The signed comparison will pass if the packet data contains a value greater than 0x80000000. It is then used to determine if the allocated stack buffer is large enough to hold all the data.

The buffer is statically sized at 0xfa00 bytes. If the packet data contains a value greater than the size of the buffer, it results in a buffer overflow.

An attacker can exploit the vulnerability to gain unauthorized access to the affected system and execute arbitrary code. This could lead to the compromise of sensitive data and cause significant damage to industrial control systems.

To mitigate the risk of exploitation, users of WellinTech KingHistorian are advised to apply the patch released by the vendor immediately.

In addition, users are recommended to follow best practices for securing industrial control systems, such as implementing network segmentation, regularly monitoring network traffic, and restricting access to critical systems.





Source link