WellinTech KingSCADA Stack-Based Buffer Overflow
Act NowICS-CERT ICSA-14-098-02Jan 9, 2014
Summary
WellinTech KingSCADA contains a stack-based buffer overflow vulnerability (CWE-121) in versions prior to 3.1.2.13. This vulnerability allows attackers to trigger a stack overflow condition by sending specially crafted messages to the KingSCADA service, potentially leading to arbitrary code execution on the SCADA server with the privileges of the running process. No patch is currently available from the vendor.
What this means
What could happen
A stack-based buffer overflow in KingSCADA could allow an attacker to execute arbitrary code on the SCADA server, potentially disrupting critical energy infrastructure operations or enabling persistent access to control systems.
Who's at risk
Energy utilities operating WellinTech KingSCADA systems for SCADA monitoring and control, particularly those running versions prior to 3.1.2.13. This includes utilities managing power distribution, generation monitoring, or critical infrastructure dependent on real-time SCADA data collection and control.
How it could be exploited
An attacker who can send a specially crafted message to a KingSCADA instance would trigger a buffer overflow that overwrites the stack, allowing them to execute arbitrary code with the privileges of the SCADA process. This could happen over the network if KingSCADA is reachable from an untrusted network segment.
Prerequisites
- Network access to the KingSCADA service port
- Ability to send crafted protocol messages to KingSCADA
- KingSCADA version earlier than 3.1.2.13
remotely exploitableno patch availablehigh EPSS score (50.9%)affects control systemsbuffer overflow (memory corruption)
Exploitability
High exploit probability (EPSS 50.9%)
Affected products (1)
ProductAffected VersionsFix Status
KingSCADA: <v3.1.2.13<v3.1.2.13No fix (EOL)
Remediation & Mitigation
0/4
Do now
0/2HARDENINGIsolate KingSCADA servers on a separate network segment with strict firewall rules; restrict inbound access to only authorized engineering workstations and authorized control devices
WORKAROUNDDisable remote access to KingSCADA if not operationally required; require VPN or physical network access for engineering changes
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HOTFIXUpgrade KingSCADA to version 3.1.2.13 or later if available from vendor; contact WellinTech for patched versions
Mitigations - no patch available
0/1KingSCADA: <v3.1.2.13 has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:
HARDENINGMonitor network traffic to and from KingSCADA for unusual or malformed messages; implement intrusion detection signatures for buffer overflow attempts if available
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/471baaf0-1eca-4856-83b8-df250adb3e42