Update – Unsupported versions of Honeywell distributed control system software are vulnerable to publicly available remote exploits.
The Industrial Control System Cyber Emergency Response Team (ICS-CERT) published on Tuesday an advisory warning organizations to upgrade to supported versions of Honeywell’s Experion PKS application to mitigate the trouble.
Researcher Joel Langill of Luxembourg and founder of SCADAhacker.com discovered a directory traversal vulnerability in Experion PKS release 310.x and earlier.
Directory traversal attacks exploit areas that do not validate user input allowing an attacker to supply code that allows it to access directories it would not normally be able to reach.
“This vulnerability exists in all unsupported phased out versions of the application that is still in use by some customers,” said ICS-CERT in its advisory. “Honeywell has recommended users of the vulnerable versions upgrade to supported versions of the software, which have patches available.”
Honeywell said in a statement to Threatpost that the versions of Experion PKS affected by these flaws were built on Windows XP and that as far back as three years ago, it began to notify its customers about the need to upgrade given that XP would no longer be supported.
“The campaign included several written notifications, some co-written with Microsoft, as well as verbal contacts to ensure that all users had the information they would need to help them make an informed decision about upgrading their systems,” a Honeywell spokesperson said. “Honeywell advises that all users should upgrade to a supported version. Specific to this change, Honeywell will work with customers to plan an on-process software upgrade.”
Experion PKS is a distributed control system used in a number of critical industries such as energy and chemical. These systems are used to control continuous manufacturing processes, for example, by monitoring sensors and controlling flow and measurements.
“The affected products contain a directory traversal vulnerability that could allow an attacker to escalate privileges on the system to gain access to the host’s root directory,” the ICS-CERT advisory said, adding that exploits against this vulnerability would not require a great degree of skill on the attacker’s part.
Since these versions are no longer supported, it’s unknown whether they will be patched. Honeywell recommends users upgrade to supported versions such as Experion R43x, R41x or R40x.
Earlier this year, a separate remotely exploitable directory traversal bug was found in Honeywell’s XL Web Controller that was patched by the company. An attacker could generate admin logins on the controller enabling full access to the system and a valuable entry point to an organization’s network.