A vulnerability in a platform used to integrate different systems controlling devices such as heating and ventilation systems could allow attackers to remotely execute code and affect availability.
The vulnerability, uncovered by researcher Juan Vazquez of Rapid7, rests in the Honeywell Enterprise Buildings Integrator (EBI) R310 – R410.2. The technology uses open architecture and industry standards to integrate existing building systems such as lighting, energy management and HVAC (heating, ventilation and air conditioning) controls.
“The specific flaw exists within the HSC Remote Deploy ActiveX (HSCRemoteDeploy.dll), with the class ID “0D080D7D-28D2-4F86-BFA1-D582E5CE4867″,” blogged Vazquez. “This control is used to support installation of Honeywell HMIWeb Browser on workstation clients. The LaunchInstaller() method, provided by the vulnerable control, can be abused to run an arbitrary HTA application through mshta.exe.”
In an advisory, the U.S. Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) notes that the vulnerability could be exploited via a specially-crafted HTML document, and impacts the Honeywell EBI, SymmetrE and ComfortPoint Open Manager (CPO-M) Station as well as HMIWeb Browser client packages.
An attacker would only need medium skill to exploit this vulnerability using social engineering, according to the team.
“The attacker would require an end-user or operator to voluntarily interact with the attack mechanism for it to be successful,” according to ICS-CERT. “For example, the attacker could send an email message to the end-user, containing a link to a Web site with the specially crafted HTML document.”
“The platforms are typically managed and controlled by dedicated Station-based clients on secured, isolated building control, security or life safety networks,” ICS-CERT noted. “Noncritical applications can be installed on customer-based enterprise networks and can use the optional Web browser interface.”
According to the advisory, Honeywell recommends disabling HscRemoteDeploy.dll from any client or server computers on vulnerable systems since it is not used for any runtime functions and is only required to simplify the installation or upgrade of the HMIWeb Browser client. The company has also created a Station Security Update package that disables the DLL that should be run on the EBI servers, all Station client PCs and any PCs that have used the HMIWeb Browser client.
“Honeywell recommends asset owners contact their local HBS service representative as this update should only be performed by a qualified, trained resource,” the ICS-CERT team notes. “Honeywell has requested that Microsoft issue a kill bit for the HscRemoteDeploy.dll in a future monthly Microsoft Windows security update. This will also automatically disable the DLL on any affected system that is using the Windows Update feature in the listed Honeywell products.”
Honeywell EBI, SymmetrE, and CPO-M users can also find information about the situation in Honeywell’s Bulletin CSA-2013-0131-01 or Product Bulletin 581 on the EBI support website.