The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) has released a series of advisories detailing security issues identified by researchers in products from XZERES, Honeywell, and Johnson Controls.
According to ICS-CERT, Johnson Controls has released patches to address two high severity vulnerabilities affecting the 4.1, 5.x and 6.x releases of the Metasys building management system. The vulnerable releases are used in products such as Application and Data Server (ADS), Extended Application and Data Server (ADX), LonWorks Control Server 85 (LCS8520), Network Automation Engine (NAE), Network Integration Engine (NIE), and NxE8500.
Security researcher Billy Rios discovered that the Metasys web service is plagued by an unrestricted file upload vulnerability (CVE-2014-5428) that can be exploited by a remote, unauthenticated attacker to upload a shell script to an arbitrary location. The attacker can then execute the malicious script and compromise the affected system, ICS-CERT said.
Rios has also found that passwords are stored in a recoverable format (CVE-2014-5427). A remote attacker can compromise a Metasys system by using an unauthenticated POST request to retrieve the password hash belonging to an authorized user.
Martin Jartelius of Outpost24 has discovered and reported a high severity path traversal vulnerability (CVE-2015-0984) in Honeywell’s XLWeb controllers. The flaw affects several versions of the BACnet Building Controller Excel Web, including XL1000C50, XL1000C100, XL1000C500, XL1000C1000, XL1000C50U, XL1000C100U, XL1000C500U, and XL1000C1000U.
“An attacker may use this vulnerability to generate a valid login for an administrative user on the Honeywell XLWeb controller giving the attacker full administrator access to the system. The XLWEB application effectively becomes an entry point into the network where it is located,” ICS-CERT wrote in an advisory.
ICS-CERT advises organizations to mitigate the flaw by updating their products to Excel Web Linux version 2.04.01 or later, and Computer Aided Regulation Engineering (CARE) software version 10.02 or later.
A vulnerability affecting the XZERES 442SR Wind Turbine have been identified by independent researcher Maxim Rupp. The expert discovered a cross-site request forgery (CSRF) flaw (CVE-2015-0985) in the 442SR operating system.
By launching a CSRF attack against a targeted system, an attacker can change the password of the default user, which has administrative privileges on the system.
According to ICS-CERT, there is no indication that exploits are publicly available for these flaws. However, the vulnerabilities can be exploited remotely even by an attacker with low skill so organizations are advised to apply the updates as soon as possible.