Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Johnson Controls, XZERES, Honeywell Patch Vulnerable Products

The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) has released a series of advisories detailing security issues identified by researchers in products from XZERES, Honeywell, and Johnson Controls.

The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) has released a series of advisories detailing security issues identified by researchers in products from XZERES, Honeywell, and Johnson Controls.

According to ICS-CERT, Johnson Controls has released patches to address two high severity vulnerabilities affecting the 4.1, 5.x and 6.x releases of the Metasys building management system. The vulnerable releases are used in products such as Application and Data Server (ADS), Extended Application and Data Server (ADX), LonWorks Control Server 85 (LCS8520), Network Automation Engine (NAE), Network Integration Engine (NIE), and NxE8500.

Security researcher Billy Rios discovered that the Metasys web service is plagued by an unrestricted file upload vulnerability (CVE-2014-5428) that can be exploited by a remote, unauthenticated attacker to upload a shell script to an arbitrary location. The attacker can then execute the malicious script and compromise the affected system, ICS-CERT said.

Rios has also found that passwords are stored in a recoverable format (CVE-2014-5427). A remote attacker can compromise a Metasys system by using an unauthenticated POST request to retrieve the password hash belonging to an authorized user.

Martin Jartelius of Outpost24 has discovered and reported a high severity path traversal vulnerability (CVE-2015-0984) in Honeywell’s XLWeb controllers. The flaw affects several versions of the BACnet Building Controller Excel Web, including XL1000C50, XL1000C100, XL1000C500, XL1000C1000, XL1000C50U, XL1000C100U, XL1000C500U, and XL1000C1000U.

“An attacker may use this vulnerability to generate a valid login for an administrative user on the Honeywell XLWeb controller giving the attacker full administrator access to the system. The XLWEB application effectively becomes an entry point into the network where it is located,” ICS-CERT wrote in an advisory.

ICS-CERT advises organizations to mitigate the flaw by updating their products to Excel Web Linux version 2.04.01 or later, and Computer Aided Regulation Engineering (CARE) software version 10.02 or later.

A vulnerability affecting the XZERES 442SR Wind Turbine have been identified by independent researcher Maxim Rupp. The expert discovered a cross-site request forgery (CSRF) flaw (CVE-2015-0985) in the 442SR operating system.

By launching a CSRF attack against a targeted system, an attacker can change the password of the default user, which has administrative privileges on the system.

According to ICS-CERT, there is no indication that exploits are publicly available for these flaws. However, the vulnerabilities can be exploited remotely even by an attacker with low skill so organizations are advised to apply the updates as soon as possible.

Learn More at the 2015 ICS Cyber Security Conference

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Vulnerabilities

Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.