1. Introduction
WellinTech KingOPCServer Detection indicates a SCADA application is installed on a remote Windows host. KingOPCServer is used for communication between industrial control systems and other applications. Its presence introduces potential risks as it may be vulnerable to exploitation, allowing attackers to compromise the system. This could lead to loss of confidentiality, integrity or availability of critical processes.
2. Technical Explanation
KingOPCServer is installed on a Windows host and provides an interface for accessing industrial control data. Exploitation typically involves targeting vulnerabilities within the OPC server itself. Attackers can gain access to sensitive information or manipulate control systems. Preconditions include network connectivity to the affected host and knowledge of the KingOPCServer installation.
- Root cause: The software is installed, presenting a potential attack surface.
- Exploit mechanism: An attacker could exploit known vulnerabilities in the server’s communication protocols or data handling routines.
- Scope: Windows hosts with WellinTech KingOPCServer installed are affected.
3. Detection and Assessment
Confirming a KingOPCServer installation is the primary assessment step. Use quick checks to identify its presence, followed by more thorough methods for version identification.
- Quick checks: Check the installed programs list in Control Panel or use PowerShell with
Get-WmiObject -Class Win32_Product | Where-Object {$_.Name -like "*KingOPCServer*"}. - Scanning: Nessus plugin ID 91867 may identify KingOPCServer installations. This is an example only and should be verified.
- Logs and evidence: Review application event logs for entries related to KingOPCServer, specifically looking for startup or error messages.
Get-WmiObject -Class Win32_Product | Where-Object {$_.Name -like "*KingOPCServer*"}4. Solution / Remediation Steps
The primary solution is to remove the software if it is not required. If needed, ensure it’s updated to the latest version and properly secured.
4.1 Preparation
- Ensure you have access to the original installation media if re-installation is needed. A roll back plan involves restoring from the snapshot.
- Change windows may be required, and approval should be sought from system owners.
4.2 Implementation
- Step 1: Uninstall KingOPCServer through Control Panel > Programs and Features.
4.3 Config or Code Example
Before
KingOPCServer is listed in Installed ProgramsAfter
KingOPCServer is not listed in Installed Programs4.4 Security Practices Relevant to This Vulnerability
Least privilege and a robust patch cadence are relevant practices for mitigating risks associated with applications like KingOPCServer.
- Practice 1: Least privilege – limit user accounts that have access to the system running KingOPCServer.
- Practice 2: Patch cadence – regularly update all software, including SCADA components, to address known vulnerabilities.
4.5 Automation (Optional)
# Example PowerShell script to uninstall KingOPCServer (use with caution!)
Get-WmiObject -Class Win32_Product | Where-Object {$_.Name -like "*KingOPCServer*"} | Uninstall-Package5. Verification / Validation
- Post-fix check: Run
Get-WmiObject -Class Win32_Product | Where-Object {$_.Name -like "*KingOPCServer*"}, which should return no results. - Re-test: Re-run the initial installed programs check to confirm KingOPCServer is not present.
- Smoke test: Verify any applications that relied on KingOPCServer are still functioning as expected.
- Monitoring: Monitor application event logs for errors related to missing dependencies or failed connections.
Get-WmiObject -Class Win32_Product | Where-Object {$_.Name -like "*KingOPCServer*"}6. Preventive Measures and Monitoring
Regular security baselines and software inventory management can help prevent the installation of unnecessary or vulnerable applications like KingOPCServer.
- Baselines: Update a security baseline to disallow the installation of unapproved SCADA components.
- Pipelines: Implement application whitelisting or control lists in deployment pipelines.
- Asset and patch process: Review software inventory regularly for unauthorized applications, and enforce a strict patch management schedule.
7. Risks, Side Effects, and Roll Back
Uninstalling KingOPCServer may disrupt dependent services. A roll back involves restoring from the pre-uninstall snapshot or re-installing the application.
- Roll back: Restore the system from the pre-uninstall snapshot, or re-install KingOPCServer using the original installation media.
8. References and Resources
- Vendor advisory or bulletin: http://web.archive.org/web/20130605055412/http://en.wellintech.com:80/index.php/allproducts/kingscada