Metasploit today released an exploit module for a serious vulnerability in Honeywell industrial control system software used to manage everything from HVAC and building access systems, to energy and facilities management processes.
The vulnerability was reported by Rapid7 researcher Juan Vazquez in January and Honeywell released a patch to its customers on Feb. 22. If exploited, an attacker would be able to remotely inject any code onto a workstation hosting Honeywell’s Enterprise Buildings Integrator (EBI) building management software, as well as its SymmetrE and ComfortPoint Open Manager Station workstations. No exploits have been detected in the wild.
EBI is a centralized interface built on an open architecture that enables management of HVAC systems, security, access control and building surveillance, as well as fire alarm monitoring, and even energy optimization.
An attacker would need to lure a victim to a malicious site via a phishing email, for example, in order to exploit the vulnerability, CVE-2013-0108, which was found within an ActiveX control within the HscRemoteDeploy.dll used to support installation of the Honeywell HMIWeb Browser on workstation clients. An attacker could use a malicious HTA, or HTML application, to exploit the vulnerability. HTAs are fully trusted applications and carry out actions that IE would never permit in a webpage, Rapid7’s Vazquez wrote in a blogpost.
“In HTAs, the restrictions against allowing script to manipulate the client machine are lifted,” Vazquez wrote, adding that command codes are supported without scripting limitations, and that HTAs have read/write access to a machine’s files and system registries.
ICS-CERT said in an advisory that the vulnerability could be exploited in targeted attacks; EBI is installed in a number of government and commercial facilities; a number of case studies on the Honeywell site included hospitals, pharmaceuticals and Wembley Stadium in London.
“The platforms are typically managed and controlled by dedicated station-based clients on secured, isolated building control, security or life safety networks. Non-critical applications can be installed on customer-based enterprise networks and can use the optional Web browser interface,” the ICS-CERT advisory said.
Ideally, said Metasploit engineering manager Tod Beardsley, workstations hosting the EBI software would not be connected to the Internet, but most are used as general purpose machines for email and Web surfing, for example.
“Essentially, if you know the target has this ActiveX control running and it’s loaded, you can get any backdoor loaded on the machine,” Beardsley said.
While Honeywell has made a patch available to its customers, it is still trying to coordinate with Microsoft for the release of a kill bit for the HscRemoteDeploy.dll in an upcoming Microsoft Patch Tuesday security update release, the next one of which is scheduled for tomorrow. It’s unknown whether this will be included in tomorrow’s update, or in April’s. Disabling the .dll in question, Honeywell said, can be used as a temporary mitigation until the patch is applied because the .dll is used only to simplify installation or upgrade of the HMIWeb Browser client.
Industrial control systems have been popular targets because of the critical infrastructure they operate. At the Kaspersky Labs Security Analyst Summit in February, researchers Billy Rios and Terry McCorkle of security company Cylance reported a vulnerability in Tridium’s Niagara Framework that also runs building maintenance systems. Serious vulnerabilities and a number of attacks have forced manufacturers such as Honeywell to reassess their responses and vulnerability remediation processes.
“(Honeywell) handled this well, better than we typically get,” Beardsley said. “This was out of the park amazing coordination; keeping us involved in how they were disclosing and letting us help them. Hardly anyone lets us do that; often vulnerabilities fall into a black hole and rarely do we get a whole lot of feedback from vendors.”
Honeywell image via BLW Photography‘s Flickr photostream, Creative Commons