Now on Demand: Threat Detection and Incident Response (TDIR) Summit - All Sessions Available

SECURITYWEEK NETWORK:

ICS:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

ICS/OT

Critical Vulnerability in Honeywell Virtual Controller Allows Remote Code Execution

Claroty shows how Honeywell ControlEdge Virtual UOC vulnerability can be exploited for unauthenticated remote code execution.

OT, IoT and medical device cybersecurity firm Claroty has disclosed information on vulnerabilities found by its researchers in Honeywell’s Control Edge Unit Operations Controller (UOC).

Claroty researchers have found vulnerabilities in the ControlEdge Virtual UOC industrial automation controller, which can be deployed as a Linux-based virtual machine, eliminating the need for a physical controller.

The research focused on the EpicMo proprietary protocol, which is used for communication between Honeywell Experion servers and controllers. 

One of the vulnerabilities found in the protocol, tracked as CVE-2023-5389 and rated ‘critical severity’, is related to an undocumented function that allows writing files on Virtual UOC controllers. 

The flaw could allow an attacker who has access to the targeted organization’s OT network to execute arbitrary code without authentication by sending malicious packets to the controller.

“This attack could be carried out remotely in order to modify files, resulting in full control of the controller and the execution of malicious code,” Claroty explained. 

A second vulnerability found by Claroty is CVE-2023-5390, a medium-severity absolute path traversal issue that could allow an attacker to read files from a controller, potentially exposing limited information from the device. 

Claroty reported its findings to Honeywell, which released patches and published its own advisory to inform customers about the flaws. 

Advertisement. Scroll to continue reading.

The US cybersecurity agency CISA also published an advisory recently. The agency’s advisory covers 16 vulnerabilities affecting Honeywell’s Experion PKS, Experion LX, PlantCruise by Experion, Safety Manager, and Safety Manager SC products.

A majority of these flaws were discovered by cybersecurity firm Armis and their exploitation can lead to the disclosure of sensitive information, privilege escalation, or remote code execution. Armis, which dubbed the vulnerabilities Crit.IX, published details last year. 

*updated with link to Armis research

Related: Hackers Could Disrupt Industrial Processes via Flaws in Widely Used Honeywell DCS

Related: Honeywell: USB Malware Attacks on Industrial Orgs Becoming More Sophisticated

Related: Honeywell DCS Platform Vulnerabilities Can Facilitate Attacks on Industrial Organizations

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

More from

Latest News

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

CIEM Chat: How to Reduce Cloud Identity Risk
March 26, 2024

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

Virtual Event: Ransomware Resilience & Recovery Summit
April 17, 2024

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

People on the Move

Wendy Zheng named as CFO and Joe Diamond as CMO at cyber asset management firm Axonius.

Intelligent document processing company ABBYY has hired Clayton C. Peddy as CISO.

Digital executive protection services provider BlackCloak has appointed Ryan Black as CISO.

More People On The Move

Expert Insights