Hackers Could Disrupt Industrial Processes via Flaws in Widely Used Honeywell DCS
A distributed control system (DCS) product offered by Honeywell is affected by vulnerabilities that could allow malicious actors to disrupt industrial processes.
Researchers at industrial cybersecurity firm Claroty discovered that Honeywell’s Experion Process Knowledge System (PKS) is affected by three types of vulnerabilities. Two of them, CVE-2021-38395 and CVE-2021-38397, have been assigned a severity rating of critical and can allow an attacker to remotely execute arbitrary code on the system or cause a denial of service (DoS) condition.
The third flaw, tracked as CVE-2021-38399 and classified as high severity, is a path traversal issue that can allow an attacker to access files and folders.
The industrial giant published a security advisory for these vulnerabilities in February, when it informed customers about its plans for releasing patches this year. Some versions of the impacted products, however, will not receive fixes.
In a blog post published on Tuesday, Claroty detailed the vulnerabilities found by its Team82 researchers, as well as their potential impact in real world environments.
The Honeywell Experion PKS product is used by organizations worldwide to control large industrial processes. The DCS leverages controllers that can be programmed using engineering workstation software named Experion PKS Configuration Studio. The logic programmed for a controller is downloaded from the engineering station to the DCS components.
“In the case of the Experion PKS, Team82 found that it is possible to mimic the download code procedure and use these requests to upload arbitrary DLL/ELF files (for simulators and controllers, respectively). The device then loads the executables without performing checks or sanitization, giving an attacker the ability to upload executables and run unauthorized native code remotely without authentication,” Claroty explained.
An attacker could exploit the vulnerabilities to cause significant disruptions or to abuse the DCS for further attacks on the targeted organization’s network. However, Claroty pointed out that the ports an attacker needs access to in order to exploit the vulnerabilities are typically not exposed to the internet. The attacker would need to find a way to access the targeted organization’s OT network before exploiting the flaws.
Honeywell said the vulnerabilities impact its C200, C200E, C300 and ACE controllers. The ACE and C200 controllers will not receive patches, but mitigations are available, especially since network access is required for exploitation.