Dillon Beresford, a security researcher for NSS Labs, has uncovered a vulnerability in SCADA software that is widely used across China.
Beresford found a critical flaw in software produced by Beijing based WellinControl Technology (Wellintech) that could enable an attacker to execute arbitrary code on Supervisory Control and Data Acquisition (SCADA) used to administer systems for critical infrastructure.
Beresford claims to have notified both Wellintech and China's National Computer Network Emergency Response Team (CN-CERT) about the vulnerability last September, but has since never received a reply.
Meanwhile, Beresford has developed a Metasploit-based TCP bind shell script to demonstrate the exploitable vulnerability in the Wellintech SCADA software and submitted it to Exploit-DB.
Beresford writes in his blog on the lack of response from Wellintech and CN-CERT:
"I'm not sure whats worse, a 0day for the most popular SCADA software in China floating around in the wild or a team of security professionals from China's CERT sleeping behind the wheel."
He had supposed that the lack of reply was not an indication of a lack of response, and that a patch for the vulnerability would be issued quietly, but no such action has been taken.
"At this point the only thing left for me to do was share the information with the security community and send it over to the good people at Exploit-DB," Beresford wrote.
Concern has grown on international level about the vulnerability of SCADA systems since the arrival of the Stuxnet virus that is reported to have set back Iran's nuclear program significantly.