Cisco Talos reveals WellinTech ICS platform vulnerable to information disclosure, buffer overflow loopholes

Two vulnerabilities have been identified by Cisco Talos researchers in WellinTech’s KingHistorian industrial control systems (ICS) data manager. Talos tested and confirmed that these versions of WellinTech KingHistorian could be exploited by the vulnerabilities.

Carl Hurd of Cisco Talos discovered these vulnerabilities, Jonathan Munshaw disclosed in a company blog post. Users have been called upon to update these affected products as soon as possible to WellinTech KingHistorian, version 35.01.00.05. 

Talos discovered an information disclosure vulnerability, tracked as CVE-2022-45124, in the software’s user authentication function. The security loophole exists in the User authentication functionality of WellinTech KingHistorian 35.01.00.05. A specially crafted network packet can lead to a disclosure of sensitive information. An attacker can sniff network traffic to leverage this vulnerability. If an adversary could capture an authentication packet, it contains all the necessary information to steal the target user’s username and password for the software.

KingHistorian is a time-series database that allows users to ingest and process large amounts of data from ICS, including built-in statistical analysis. It has been designed to be high-performance and highly reliable for processing data. The protocol used to communicate with XDBServer uses a mixture of ciphering and compression, which prevents plaintext strings from being sent directly. However, if an attacker captures an authentication packet, then all the necessary information is included in the packet to recover the username and password.

Packets contain a 0x14-byte header starting with ‘SORB’ in ASCII as magic bytes. The rest of this header is uninteresting for this attack. Once the 0x14 bytes are skipped over, the packet’s first byte of data contains a flag to display if it is compressed, with the least-significant bit of the first byte representing the compression flag. If the packet is compressed, it is decompressed with ‘quicklz.’

By combining the parts of the ‘enc_key,’ it is possible to decipher the ‘ciphered_password’ from the packet back into the plaintext form, Cisco Talos revealed.

The second vulnerability, tracked as CVE-2022-43663, exists in a DLL in the software that could allow an adversary to cause a buffer overflow by sending a malicious packet to the targeted machine. Here, an integer conversion vulnerability exists in the SORBAx64[dot]dll RecvPacket functionality of WellinTech KingHistorian 35.01.00.05. A specially crafted network packet can lead to a buffer overflow, and an attacker can send a malicious packet to trigger this vulnerability.

“On December 16, 2022, Carl Hurd, an expert at Cisco Talos, discovered a vulnerability and immediately reported it to the vendor,” The Cyber Express wrote in a post. “The vendor acknowledged and disclosed the vulnerability on December 22 and eventually released a patch on March 17, 2023. Subsequently, the vulnerability was publicly released on March 20, 2023.”

Cisco Talos worked with WellinTech to ensure that these issues are resolved and an update is available for affected customers, in adherence to the company’s vulnerability disclosure policy.

Last week, Cisco Talos researchers spotted a new online threat actor – YoroTrooper – that has been carrying out espionage operations since June 2022. The researchers said that the main targets are government or energy organizations in Azerbaijan, Tajikistan, Kyrgyzstan, and other Commonwealth of Independent States (CIS), based on analysis. The malware is distributed through social engineering, spear-phishing, data exfiltration, and using custom and commodity malware.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.