Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

ICS/OT

Several Flaws Patched in Honeywell Controllers

Honeywell has released updates for its XL Web II controllers to address several critical and high severity vulnerabilities that can be exploited remotely from the Internet.

Honeywell has released updates for its XL Web II controllers to address several critical and high severity vulnerabilities that can be exploited remotely from the Internet.

XL Web II or Excel Web II controllers, which are also sold under the Falcon brand, are web-based SCADA (supervisory control and data acquisition) systems designed for building management applications.

Security researcher Maxim Rupp discovered last summer that the product is affected by flaws that allow a remote attacker to obtain sensitive information and use the affected system as an entry point into the targeted organization’s network.

Rupp told SecurityWeek that, using the Shodan search engine, he has identified more than 600 vulnerable devices accessible from the Internet.Vulnerabilities in Honeywell Excel Web controllers

ICS-CERT has published an advisory describing the vulnerabilities, but the researcher says there are some inaccuracies. According to the expert’s own report, the flaws affect XL20xxBxx controllers running firmware version XLWeb2_vUBC_3-04-04-07 and prior, and CLEA20xxBxx devices running firmware version Eagle_vUBC_3-04-04-07 and prior.

The most serious of the flaws, rated critical based on their CVSS score, are related to exposed credentials. The expert discovered that the application stores passwords in easily accessible JavaScript files for client-side verification (CVE-2017-5140). These passwords are stored in clear text (CVE-2017-5139) and an attacker can access them without authentication.

2017 Singapore ICS Cyber Security Conference Call for Papers is Open!

Another vulnerability rated critical is an improper privilege management issue (CVE-2017-5142) that allows a user with limited privileges to access certain functions simply by navigating to a specific URL. These functions are normally accessible only to users with higher privileges.

Rupp has also discovered a high severity path traversal flaw (CVE-2017-5143) that allows an unauthenticated attacker to gain access to files that can contain sensitive information.

Advertisement. Scroll to continue reading.

ICS-CERT’s advisory also mentions a medium severity session fixation flaw that could allow an attacker to gain access to a targeted user’s account (CVE-2017-5141). Rupp said this vulnerability was not included in his report and that it likely refers to a combination of weaknesses.

According to the researcher and ICS-CERT, Honeywell addressed the vulnerabilities with the release of version 3.04.05.05. Users can obtain the patches by contacting their vendor. There is no evidence that the flaws have been exploited in the wild.

Related: Learn More at the 2017 ICS Cyber Security Conference

Related: Only Few Organizations Patched Recent Honeywell SCADA Flaw

Related: Johnson Controls, XZERES, Honeywell Patch Vulnerable Products

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Gigamon has promoted Tony Jarjoura to CFO and Ram Bhide has been hired as Senior VP of engineering.

Cloud security firm Mitiga has appointed Charlie Thomas as Chief Executive Officer.

Cynet announced the appointment of Jason Magee as Chief Executive Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.