Honeywell has released updates for its XL Web II controllers to address several critical and high severity vulnerabilities that can be exploited remotely from the Internet.
XL Web II or Excel Web II controllers, which are also sold under the Falcon brand, are web-based SCADA (supervisory control and data acquisition) systems designed for building management applications.
Security researcher Maxim Rupp discovered last summer that the product is affected by flaws that allow a remote attacker to obtain sensitive information and use the affected system as an entry point into the targeted organization’s network.
Rupp told SecurityWeek that, using the Shodan search engine, he has identified more than 600 vulnerable devices accessible from the Internet.
ICS-CERT has published an advisory describing the vulnerabilities, but the researcher says there are some inaccuracies. According to the expert’s own report, the flaws affect XL20xxBxx controllers running firmware version XLWeb2_vUBC_3-04-04-07 and prior, and CLEA20xxBxx devices running firmware version Eagle_vUBC_3-04-04-07 and prior.
The most serious of the flaws, rated critical based on their CVSS score, are related to exposed credentials. The expert discovered that the application stores passwords in easily accessible JavaScript files for client-side verification (CVE-2017-5140). These passwords are stored in clear text (CVE-2017-5139) and an attacker can access them without authentication.
2017 Singapore ICS Cyber Security Conference Call for Papers is Open!
Another vulnerability rated critical is an improper privilege management issue (CVE-2017-5142) that allows a user with limited privileges to access certain functions simply by navigating to a specific URL. These functions are normally accessible only to users with higher privileges.
Rupp has also discovered a high severity path traversal flaw (CVE-2017-5143) that allows an unauthenticated attacker to gain access to files that can contain sensitive information.
ICS-CERT’s advisory also mentions a medium severity session fixation flaw that could allow an attacker to gain access to a targeted user’s account (CVE-2017-5141). Rupp said this vulnerability was not included in his report and that it likely refers to a combination of weaknesses.
According to the researcher and ICS-CERT, Honeywell addressed the vulnerabilities with the release of version 3.04.05.05. Users can obtain the patches by contacting their vendor. There is no evidence that the flaws have been exploited in the wild.
Related: Learn More at the 2017 ICS Cyber Security Conference
Related: Only Few Organizations Patched Recent Honeywell SCADA Flaw
Related: Johnson Controls, XZERES, Honeywell Patch Vulnerable Products