WellinTech KingView DLL Hijack Vulnerability
Low RiskICS-CERT ICSA-12-122-01Feb 2, 2012
Summary
WellinTech KingView 6.53 is vulnerable to DLL hijacking attacks. An attacker with local access to a KingView workstation can place a malicious DLL in the application's search path, causing KingView to load the attacker's code instead of the legitimate library. This allows arbitrary code execution with the privileges of the KingView application. The vulnerability stems from improper DLL loading practices (CWE-427) and affects only version 6.53 with no vendor fix currently available.
What this means
What could happen
An attacker with access to a workstation running KingView could inject malicious code into the application by placing a specially crafted DLL file in the application's search path, potentially gaining control over HMI operations and process monitoring.
Who's at risk
This affects operators and engineers using WellinTech KingView version 6.53 as an HMI (Human-Machine Interface) platform for monitoring and controlling water treatment plants, electric distribution systems, or other industrial processes. Facility IT staff managing these workstations should be particularly concerned.
How it could be exploited
An attacker with local access to a workstation running KingView 6.53 exploits DLL hijacking by placing a malicious DLL file in a directory that KingView searches before the legitimate system directory. When KingView loads its libraries during startup or operation, it loads the attacker's DLL instead of the legitimate one, executing arbitrary code with KingView's privileges.
Prerequisites
- Local access to a workstation running WellinTech KingView 6.53
- Write permissions to a directory in the KingView application search path
- Knowledge of which DLL file KingView attempts to load
No patch availableLocal code execution possibleLow complexity attackAffects HMI/supervisory control software
Exploitability
Low exploit probability (EPSS 0.5%)
Affected products (1)
ProductAffected VersionsFix Status
WellinTech KingView: 6.536.53No fix (EOL)
Remediation & Mitigation
0/5
Do now
0/2HARDENINGRestrict local access and user account privileges on workstations running KingView; limit user permissions to only necessary application directories
HARDENINGMonitor the KingView application directory and library load paths for unexpected or unauthorized DLL files
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HOTFIXApply security updates from WellinTech if and when available; check vendor website regularly for patches
Mitigations - no patch available
0/2WellinTech KingView: 6.53 has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:
HARDENINGRun KingView with the principle of least privilege; use dedicated service accounts with minimal required permissions
HARDENINGImplement application whitelisting on workstations running KingView to prevent execution of unsigned or unauthorized executables
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/e3274a6d-0f5f-4cd1-8468-666adb848320