Honeywell released a security update for the company’s Falcon XLWeb controller several months ago, but only a small number of organizations have applied the patch, according to researchers at vulnerability management company Outpost24.
Honeywell XLWeb controllers are web-based SCADA (supervisory control and data acquisition) systems designed for building management applications. Honeywell says the product is deployed in several sectors, mainly in Europe and the Middle East.
In April 2014, researchers at Outpost24 notified ICS-CERT of a vulnerability in the Honeywell SCADA product that could have been exploited by a remote attacker with moderate skill to obtain administrative access to the vulnerable system.
Honeywell developed a patch for the flaw roughly one month later and ICS-CERT disclosed its existence, along with the details of a cross-site scripting (XSS) vulnerability found by Juan Francisco Bolivar, in an advisory published on July 22, 2014.
In February 2015, Outpost24 identified two additional security issues in Honeywell XLWeb: a directory traversal flaw (CVE-2015-0984), and a default, unchangeable account. An attacker can authenticate on the FTP server using the default account, traverse the working directory by leveraging the path traversal bug, and upload a shell that allows them to execute OS commands, researchers said.
Honeywell addressed the directory traversal by March 10, and ICS-CERT published an advisory on March 17. Outpost24 published a blog post containing additional details on this attack on April 22.
John Stock, technology program director at Outpost24, revealed during a talk at the Infosecurity Europe 2015 conference that only one company had patched the vulnerability he and Martin Jartelius, CSO of Outpost24, reported to Honeywell this year. The number has since increased to three (as of June 8), but that still shows a low patching rate considering that tens of systems are accessible on the Internet.
Researchers initially identified 143 Honeywell XLWeb systems by using Shodan, the search engine for Internet-connected devices. Now, 46 of them are no longer online at the previously known address. Of the remaining systems, 90 are unpatched and completely vulnerable to directory traversal attacks (CVE-2015-0984), Stock and Jartelius told SecurityWeek in an interview.
Interestingly, the experts believe four of the systems, which are located in the same country, have either been exploited or they are malfunctioning. The systems are there, but their SCADA component is broken, the researchers said.
“The landing page is replaced by one causing a processing error, and the system is hardened preventing remote access using the 2015 exploit (there is a non intrusive safe test for both vulnerabilities),” explained Jartelius.
Jartelius believes the systems have been exploited and the attackers have hardened them to maintain access and keep other hackers out.
“A hacker who wants to maintain access will do the hardening to keep other hackers out, just as a defender would, but would normally have left the user interface intact to mask his presence, so if so, it’s not a careful or good attacker,” the expert said.
On the other hand, since all of the four broken systems are in the same country, it’s possible that a Honeywell customer hardened the devices “in a very strange way,” Jartelius noted.
Outpost24 has developed an easy-to-use exploit for the Honeywell XLWeb vulnerability, but the company is not making it public. The security firm believes full disclosure is not a viable approach when it comes to ICS vulnerabilities because the exploitation of such systems can have serious consequences.
Related: Learn More at the ICS Cyber Security Conference
SecurityWeek has reached out to Honeywell to find out if it has taken any steps to encourage customers to apply security updates, but the company hasn’t responded by the time of publication.
Over the past year, Outpost24 has sent out a total of 20 ICS vulnerability alerts affecting the products of 15 different vendors. While Honeywell was quick to address the security holes reported by researchers, other vendors haven’t been very cooperative. Stock and Jartelius told SecurityWeek that while two of the contacted vendors have confirmed working on patches, half a dozen companies have ignored their reports. Some vendors said they’re looking into the issues, but others will not provide patches, in some cases because they believe the bugs are not worth patching.
“With ICS/SCADA issues, fully open disclosure is not really an option, so we remain at mercy with the ability to cooperate with them,” Stock told SecurityWeek. “Not all vendors treat it as seriously as they should, highlighted by the lack of response from vendors. Organisations are definitely more aware, both the media and general security posture of companies proves this. However, the number of ICS/SCADA devices which are internet connected is still a major concern when the amount of security testing performed on these devices is highly limited.”
“In an ideal world, ICS/SCADA vendors would get the security testing done themselves before release of the device. Even if they are not intended to be internet connected, the same level of security should be required if they are within an internal network,” Stock added. “General security awareness also seems to be lacking around configuration of the devices. The use of default passwords is always a concern, especially where it is not advised to change these in the documentation, or forced when a device is first configured. Hardcoded credentials are even worse, as this gives the user no chance to actually change the credentials.”
