A distributed control system (DCS) product offered by Honeywell is affected by vulnerabilities that could allow malicious actors to disrupt industrial processes.
Researchers at industrial cybersecurity firm Claroty discovered that Honeywell’s Experion Process Knowledge System (PKS) is affected by three types of vulnerabilities. Two of them, CVE-2021-38395 and CVE-2021-38397, have been assigned a severity rating of critical and can allow an attacker to remotely execute arbitrary code on the system or cause a denial of service (DoS) condition.
The third flaw, tracked as CVE-2021-38399 and classified as high severity, is a path traversal issue that can allow an attacker to access files and folders.
The industrial giant published a security advisory for these vulnerabilities in February, when it informed customers about its plans for releasing patches this year. Some versions of the impacted products, however, will not receive fixes.
In a blog post published on Tuesday, Claroty detailed the vulnerabilities found by its Team82 researchers, as well as their potential impact in real world environments.
The Honeywell Experion PKS product is used by organizations worldwide to control large industrial processes. The DCS leverages controllers that can be programmed using engineering workstation software named Experion PKS Configuration Studio. The logic programmed for a controller is downloaded from the engineering station to the DCS components.
“In the case of the Experion PKS, Team82 found that it is possible to mimic the download code procedure and use these requests to upload arbitrary DLL/ELF files (for simulators and controllers, respectively). The device then loads the executables without performing checks or sanitization, giving an attacker the ability to upload executables and run unauthorized native code remotely without authentication,” Claroty explained.
Learn more about vulnerabilities in industrial systems at SecurityWeek’s ICS Cyber Security Conference and SecurityWeek’s Security Summits virtual event series
An attacker could exploit the vulnerabilities to cause significant disruptions or to abuse the DCS for further attacks on the targeted organization’s network. However, Claroty pointed out that the ports an attacker needs access to in order to exploit the vulnerabilities are typically not exposed to the internet. The attacker would need to find a way to access the targeted organization’s OT network before exploiting the flaws.
Honeywell said the vulnerabilities impact its C200, C200E, C300 and ACE controllers. The ACE and C200 controllers will not receive patches, but mitigations are available, especially since network access is required for exploitation.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday released both an advisory and a notification to inform organizations about the threat posed by these vulnerabilities.
Related: Vulnerabilities Allow Hackers to Access Honeywell Fire Alarm Systems
Related: Serious Vulnerabilities Expose Honeywell Surveillance Systems to Attacks