Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

ICS-CERT Warns of Vulnerability in Facility System Integration Software

 A vulnerability in a platform used to integrate different systems controlling devices such as heating and ventilation systems could allow attackers to remotely execute code and affect availability.

The vulnerability, uncovered by researcher Juan Vazquez of Rapid7, rests in the Honeywell Enterprise Buildings Integrator (EBI) R310 – R410.2. The technology uses open architecture and industry standards to integrate existing building systems such as lighting, energy management and HVAC (heating, ventilation and air conditioning) controls.

 A vulnerability in a platform used to integrate different systems controlling devices such as heating and ventilation systems could allow attackers to remotely execute code and affect availability.

The vulnerability, uncovered by researcher Juan Vazquez of Rapid7, rests in the Honeywell Enterprise Buildings Integrator (EBI) R310 – R410.2. The technology uses open architecture and industry standards to integrate existing building systems such as lighting, energy management and HVAC (heating, ventilation and air conditioning) controls.

“The specific flaw exists within the HSC Remote Deploy ActiveX (HSCRemoteDeploy.dll), with the class ID “0D080D7D-28D2-4F86-BFA1-D582E5CE4867″,” blogged Vazquez. “This control is used to support installation of Honeywell HMIWeb Browser on workstation clients. The LaunchInstaller() method, provided by the vulnerable control, can be abused to run an arbitrary HTA application through mshta.exe.”

In an advisory, the U.S. Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) notes that the vulnerability could be exploited via a specially-crafted HTML document, and impacts the Honeywell EBI, SymmetrE and ComfortPoint Open Manager (CPO-M) Station as well as HMIWeb Browser client packages.

An attacker would only need medium skill to exploit this vulnerability using social engineering, according to the team.

“The attacker would require an end-user or operator to voluntarily interact with the attack mechanism for it to be successful,” according to ICS-CERT. “For example, the attacker could send an email message to the end-user, containing a link to a Web site with the specially crafted HTML document.”

“The platforms are typically managed and controlled by dedicated Station-based clients on secured, isolated building control, security or life safety networks,” ICS-CERT noted. “Noncritical applications can be installed on customer-based enterprise networks and can use the optional Web browser interface.”

According to the advisory, Honeywell recommends disabling HscRemoteDeploy.dll from any client or server computers on vulnerable systems since it is not used for any runtime functions and is only required to simplify the installation or upgrade of the HMIWeb Browser client. The company has also created a Station Security Update package that disables the DLL that should be run on the EBI servers, all Station client PCs and any PCs that have used the HMIWeb Browser client.

Advertisement. Scroll to continue reading.

“Honeywell recommends asset owners contact their local HBS service representative as this update should only be performed by a qualified, trained resource,” the ICS-CERT team notes. “Honeywell has requested that Microsoft issue a kill bit for the HscRemoteDeploy.dll in a future monthly Microsoft Windows security update. This will also automatically disable the DLL on any affected system that is using the Windows Update feature in the listed Honeywell products.”

Honeywell EBI, SymmetrE, and CPO-M users can also find information about the situation in Honeywell’s Bulletin CSA-2013-0131-01 or Product Bulletin 581 on the EBI support website.

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.