On Tuesday, the US Cybersecurity and Infrastructure Security Agency (CISA) issued an advisory about multiple security flaws discovered in Honeywell Experion Process Knowledge System C200, C200E, C300, and ACE controllers. Hackers may use them to gain remote code execution and perform a denial-of-service (DoS) attack.
Honeywell previously stated that a threat actor might modify a Control Component Library (CCL) and load it onto a controller, causing the controller to run malicious code.
Experion Process Knowledge System (PKS) is a distributed control system (DCS) developed to monitor and operate major industrial processes in different industries, from nuclear power plants to petrochemical refineries, where high reliability and security are critical.
The three vulnerabilities are:
- CVE-2021-38397 (CVSS score of 10.0) – Unrestricted Upload of File with Dangerous Type
- CVE-2021-38395 (CVSS score of 9.1) – Improper Neutralization of Special Elements in Output Used by a Downstream Component
- CVE-2021-38399 (CVSS score of 7.5) – Relative Path Traversal
The problems revolve around the download code method, which is required to program the controller’s logic. An attacker might then imitate the procedure and upload arbitrary CLL binary files.
According to researchers, the device then loads the executable files without checking or sanitization, allowing an attacker to upload executables and run illegal native code remotely.
“The Experion PKS lacks a sandbox, memory protection, or other restrictions on malicious code before it is executed. In the case of the Experion PKS, Team82 found that it is possible to mimic the download code procedure and use these requests to upload arbitrary DLL/ELF files (for simulators and controllers, respectively). The device then loads the executables without performing checks or sanitization, giving an attacker the ability to upload executables and run unauthorized native code remotely without authentication,” Claroty researchers explained.
In short, effective exploitation of the flaws may allow a malicious actor to get access to unapproved files and folders, and even execute arbitrary code remotely, resulting in a denial-of-service scenario.
Honeywell has added additional security features by cryptographically signing each CCL binary that is validated before use. This prevents a changed CCL from being loaded onto a controller with malicious code.
To properly mitigate these vulnerabilities, users should update or patch as soon as feasible.