Today the DHS ICS-CERT published an advisory that updated a September alert issued for twin ActiveX vulnerabilities in the WellinTech KingView application. The earlier alert and this advisory respond to uncoordinated disclosures made by Blake (here and here).
ICS-CERT describes these vulnerabilities as:
• Insecure ActiveX control - CVE-2013-6127 (a flaw in the SuperGrid.ocx ActiveX control); and
• ActiveX Remote File Creation/Overwrite - CVE-2013-6128 (a flaw in the KChartXY.ocx ActiveX control}
NOTE: CVE links are not yet active.
ICS-CERT notes that a moderately skilled attacker could remotely execute the publicly available exploits to overwrite files and copy them from one location to another on the target machine. WellinTech has developed new versions of the affected files that hopefully (my word not ICS-CERT’s) mitigate the vulnerabilities. Bruce, being a non-cooperative researcher, does not get the chance to publicly verify the efficacy of the updates nor is there any mention that ICS-CERT has done so.