ICS-CERT: WellinTech KingSCADA Insecure Password Encryption

Thursday, May 10, 2012

Infosec Island Admin

7fef78c47060974e0b8392e305f0daf0

This advisory is a follow-up to the alert titled “ICS-ALERT-12-020-06WellinTech KingSCADA Insecure Password Encryption Vulnerability” that was published January 20, 2012, on the ICS-CERT web page.

Independent researchers Alexandr Polyakov and Alexey Sintsov from DSecRG identified an unsecure password encryption vulnerability in WellinTech KingSCADA application. When KingSCADA OPCServer and OPCClient are not on the same node, a remote attacker may obtain passwords to the system.

DSecRG disclosed this vulnerability on its website without coordination with ICS-CERT, the vendor, or any other coordinating entity. An exploit is known to be publicly available.

ICS-CERT has coordinated the mitigation of this vulnerability with WellinTech, which has produced a new version of KingSCADA that resolves the problem. ICS-CERT has not tested this version to verify that the vulnerability is resolved.

The following WellinTech KingSCADA versions are affected: WellinTech KingSCADA 3.0.

IMPACT

This vulnerability allows an attacker with access to the password storage file to decode all passwords and use those passwords to access the system as a normal user.

Impact to individual organizations depends on many factors that are unique to each organization. ICS-CERT recommends that organizations evaluate the impact of this vulnerability based on their operational environment, architecture, and product implementation.

BACKGROUND

WellinTech is a software development company specializing in the Automation and Control industry based in Beijing, China. According to WellinTech, they also have branches in United States, Japan, Singapore, Europe, and Taiwan.

The WellinTech website describes KingSCADA as a Windows-based control, monitoring, and data collection application used across several industries including power, water, building automation, mining, and other sectors.

VULNERABILITY OVERVIEW

INSECURE PASSWORD ENCRYPTION:  System passwords are stored in a file format that is easy for an attacker to decode. If an attacker is able to access and decode this file, he will be able to log into the system as a normal user or administrator. CVE-2012-1977 has been assigned to this vulnerability. A CVSS V2 base score of 7.2 has also been assigned.

EXPLOITABILITY:  This vulnerability is remotely exploitable.

EXISTENCE OF EXPLOIT:  Public exploit(s) are known to target this vulnerability.

DIFFICULTY:  An attacker with a low skill level would be able to exploit this vulnerability.

MITIGATION

WellinTech has provided the following link to the latest version of KingSCADA:

According to WellinTech, this new version securely hashes passwords. ICS-CERT has not tested the new version to verify this.

The full ICS-CERT advisory can be found here:

Source:  http://www.us-cert.gov/control_systems/pdf/ICSA-12-129-01.pdf

Possibly Related Articles:
10679
SCADA
Industrial Control Systems
Encryption Passwords SCADA Vulnerabilities Exploits Infrastructure ICS-CERT Industrial Control Systems Wellintech KingSCADA
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.