CVE-2022-43663 – An integer conversion vulnerability in WellinTe... (How to Fix)

Q: What is the severity of CVE-2022-43663?

CVE-2022-43663 has a CVSS score of 8.1 (HIGH). An integer conversion vulnerability in WellinTech KingHistorian's SORBAx64.dll allows remote attackers to trigger a buffer overflow via specially crafted network packets. This could lead to arbitrary code execution or denial of service. Systems running vulnerable versions of KingHistorian with network exposure are affected.

📋 TL;DR

An integer conversion vulnerability in WellinTech KingHistorian's SORBAx64.dll allows remote attackers to trigger a buffer overflow via specially crafted network packets. This could lead to arbitrary code execution or denial of service. Systems running vulnerable versions of KingHistorian with network exposure are affected.

💻 Affected Systems

Products:

WellinTech KingHistorian

Versions: 35.01.00.05 and likely earlier versions

Operating Systems: Windows (x64)

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the SORBAx64.dll component used for network communication. KingHistorian is SCADA/industrial software often deployed in critical infrastructure.

📦 What is this software?

Kinghistorian by Wellintech

View all CVEs affecting Kinghistorian →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution with SYSTEM/root privileges leading to complete system compromise, data theft, or ransomware deployment.

🟠

Likely Case

Denial of service causing KingHistorian service crashes and industrial process disruption.

🟢

If Mitigated

Limited impact with proper network segmentation and exploit prevention controls in place.

🌐 Internet-Facing: HIGH - Network-accessible service vulnerable to unauthenticated remote exploitation.

🏢 Internal Only: HIGH - Even internally, this is a critical vulnerability affecting industrial control systems.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Talos Intelligence published detailed analysis and proof-of-concept. The vulnerability requires sending crafted packets to the vulnerable service.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Contact WellinTech for updated version

Vendor Advisory: https://www.wellintech.com/security/ (check for specific advisory)

Restart Required: Yes

Instructions:

1. Contact WellinTech support for patched version
2. Backup KingHistorian configuration and data
3. Apply vendor-provided patch/update
4. Restart KingHistorian service
5. Verify functionality

🔧 Temporary Workarounds

Network Segmentation

windows

Isolate KingHistorian systems from untrusted networks using firewalls

Windows Firewall: New-NetFirewallRule -DisplayName "Block KingHistorian" -Direction Inbound -Protocol TCP -LocalPort [KingHistorian Port] -Action Block

Service Restriction

all

Restrict KingHistorian service to only necessary IP addresses

🧯 If You Can't Patch

Implement strict network access controls allowing only trusted systems to communicate with KingHistorian
Deploy intrusion prevention systems (IPS) with rules to detect and block exploitation attempts

🔍 How to Verify

Check if Vulnerable:

Check KingHistorian version in About dialog or installation directory. Version 35.01.00.05 is confirmed vulnerable.

Check Version:

Check KingHistorian GUI About section or examine installed program version in Windows Programs and Features

Verify Fix Applied:

Verify updated version from vendor and test network connectivity while monitoring for crashes.

📡 Detection & Monitoring

Log Indicators:

KingHistorian service crashes
Unexpected process termination events
Memory access violation errors in Windows Event Logs

Network Indicators:

Unusual network traffic to KingHistorian ports
Malformed packet patterns matching Talos PoC

SIEM Query:

source="windows" AND (event_id=1000 OR event_id=1001) AND process_name="KingHistorian*" OR source="firewall" AND dest_port=[KingHistorian Port] AND packet_size>normal

📊 Metadata

CVE ID: CVE-2022-43663

CVSS v3 Score: 8.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-195

Published: March 20, 2023

Last Updated: November 21, 2024

🔗 References

https://talosintelligence.com/vulnerability_reports/TALOS-2022-1674 Exploit,Third Party Advisory
https://talosintelligence.com/vulnerability_reports/TALOS-2022-1674 Exploit,Third Party Advisory
https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1674

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-43663, you might also want to check these: