ICS-CERT Updates Earlier WellinTech Alert

Today the DHS ICS-CERT published an advisory that updated a September alert issued for twin ActiveX vulnerabilities in the WellinTech KingView application. The earlier alert and this advisory respond to uncoordinated disclosures made by Blake (here and here).

ICS-CERT describes these vulnerabilities as:

• Insecure ActiveX control - CVE-2013-6127 (a flaw in the SuperGrid.ocx ActiveX control); and

• ActiveX Remote File Creation/Overwrite - CVE-2013-6128 (a flaw in the KChartXY.ocx ActiveX control}

NOTE: CVE links are not yet active.

ICS-CERT notes that a moderately skilled attacker could remotely execute the publicly available exploits to overwrite files and copy them from one location to another on the target machine. WellinTech has developed new versions of the affected files that hopefully (my word not ICS-CERT’s) mitigate the vulnerabilities. Bruce, being a non-cooperative researcher, does not get the chance to publicly verify the efficacy of the updates nor is there any mention that ICS-CERT has done so.

While ICS-CERT does now give credit to Bruce as the discoverer of the vulnerabilities it does not give credit to OSVDB.ORG for the two workarounds provided in this advisory. Those two workarounds (here and here) were on the OSVDB.org web site the day the initial alert was published. It is not clear from that site if the workarounds were developed by OSVDB or by Bruce.