WellinTech KingView ActiveX Vulnerabilities
Low RiskICS-CERT ICSA-13-295-01Jul 25, 2013
Summary
WellinTech KingView versions prior to 6.53 contain multiple insecure ActiveX control vulnerabilities (CWE-40, CWE-28) that allow arbitrary code execution. The vulnerability is triggered when a user visits a malicious webpage or opens a malicious document containing embedded ActiveX controls. No patch has been made available by the vendor for affected versions.
What this means
What could happen
An attacker who tricks an operator or engineer into opening a malicious webpage could execute arbitrary code on the KingView engineering workstation, potentially allowing them to modify HMI configurations, alter process setpoints, or launch further attacks on connected industrial equipment.
Who's at risk
Any water authority, electric utility, or other facility using WellinTech KingView as a human-machine interface (HMI) for SCADA or process control systems should be aware of this vulnerability. This affects engineering workstations and operator stations that run KingView versions before 6.53, particularly those that can access the internet or receive email and documents from external sources.
How it could be exploited
An attacker crafts a webpage or document embedding malicious ActiveX controls. When an operator or engineer with KingView installed visits the page or opens the document in Internet Explorer, the browser executes the embedded control without proper validation. The control runs with the privileges of the logged-in user.
Prerequisites
- KingView version prior to 6.53 installed on a Windows system with Internet Explorer
- User must visit an attacker-controlled or compromised webpage, or open a malicious Office document, while logged in
no patch availablelow complexity attack (social engineering)ActiveX-based code executionaffects engineering/operator workstations which have control authority
Exploitability
Moderate exploit probability (EPSS 10.0%)
Affected products (1)
ProductAffected VersionsFix Status
KingView: <6.53<6.53No fix (EOL)
Remediation & Mitigation
0/4
Do now
0/2HARDENINGRestrict web browsing on KingView engineering workstations to trusted, internal sites only using URL filtering or host-based firewall rules
WORKAROUNDDisable ActiveX controls in Internet Explorer settings on KingView workstations, or use a different browser that does not support legacy ActiveX
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HARDENINGApply Windows and Internet Explorer security updates and enable protected mode to reduce ActiveX attack surface
Mitigations - no patch available
0/1KingView: <6.53 has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:
HARDENINGRequire KingView operators and engineers to use separate, isolated workstations for web browsing and email
CVEs (2)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/4b2c8d4a-beaf-401c-85c5-c8c20772355f