These vulnerabilities, dubbed Crit.IX can allow unauthorized remote code execution on the Honeywell server and controllers’ legacy version.
Security researchers at cybersecurity firm Armis and American conglomerate Honeywell have jointly disclosed details of nine new vulnerabilities found in Honeywell Experion DCS platforms.
Reportedly, Armis detected these flaws in May 2022 and informed Honeywell about 13 code issues found in the Experion C300 controllers and server, which were later rolled into nine new vulnerabilities.
Out of the 9 vulnerabilities, 7 were declared critical. Armis and Honeywell decided to investigate these findings and their potential impact collectively.
These vulnerabilities, dubbed Crit.IX can allow unauthorized remote code execution on the Honeywell server and controllers’ legacy versions. The impacted devices are used in critical industries, therefore their exploitation would cause physical disruption of crucial services and may even risk users’ safety.
Adversaries can take over the devices and change the DCS controller operations without making the engineering workstation aware of these modifications.
Per Armis’ report authored by its CTO for research Tom Gol, weak points were identified in Honeywell’s proprietary protocol, CDA protocol. This protocol establishes communication between Honeywell Experion servers and C300 controllers. Since the protocol lacks encryption and an appropriate authentication mechanism in legacy, anyone with network access can impersonate the controller and server.
Moreover, design flaws were found in the CDA protocol, which may make it hard to control data boundaries and cause buffer overflows. Also, Honeywell implements a CDA Data Client Named Access protocol on the Experion server through which Honeywell Experion server and applications communicate.
Four vulnerabilities were found in this protocol that let attackers conduct RCE on the Experion server. Several Experion platforms are impacted by these vulnerabilities, such as Honeywell Experion Process Knowledge System and LX and PlantCruise platforms.
It is worth noting that authentication isn’t required to exploit these vulnerabilities, and gaining network access to the targeted devices using a laptop or vending machine can do the job.
Further, attackers can leverage any compromised IoT, IT, and OT assets on the same network as the DCS devices and won’t need to log into the controller. DCS (distributed control systems) are digital automated ICS responsible for controlling large industrial processes across energy, oil and gas mining, pharmaceutical, and other critical industries.
From a business perspective, these flaws can cause service disruption, like complete power outages. Honeywell DCS systems are widely used in the oil and gas industry, so the biggest threat is to this sector. Other prominent Honeywell DCS clients include Shell, AstraZeneca, NASA, and the US Department of Defense.
“CS vulnerabilities pose a significant risk to critical infrastructure, including power plants, manufacturing facilities, and oil refineries. Responsible vulnerability disclosure plays a crucial role in ensuring the protection of these systems from potential attacks and minimizing the impact on public safety and operational continuity,” Gol wrote in the report published on 13 July 2023.
There is no evidence of exploitation of these vulnerabilities as yet. Before disclosing the flaws, Honeywell released security patches and urged customers to patch impacted devices immediately.