Honeywell noted in an independent security notification published earlier this month Rei Heingman and Nadav Erez of Industrial Cybersecurity Firm Claroty are credited with discovering and reporting the flaws.
A Control Component Library (CCL) may be modified by a bad actor and loaded to a controller causing the controller to execute malicious code.
The CCL format is a DLL/ELF file wrapper. Its first four bytes are the executable file’s CRC32 (DLL/ELF). The following 128 bytes represent the library’s name and the rest of the file is the actual wrapped DLL/ELF file. The DLL/ELF files that have been used as the libraries of block codes that are used in the Control Builder software. There are no security validations such as signature checking or library name sanitization when the CCL files are decoded. As a result an attacker can use a directory traversal attack to upload any DLL/ELF files to any location on the remote controller.
CISA reported on Tuesday about multiple security flaws affecting all versions of Honeywell Experion Process Knowledge System C200, C200E, C300, and ACE controllers that could be exploited to achieve remote code execution and denial-of-service (DoS) conditions.
The list of three flaws is as follows
- CVE-2021-38397 (CVSS score: 10.0) – Unrestricted Upload of File with Dangerous Type
- CVE-2021-38395 (CVSS score: 9.1) – Improper Neutralization of Special Elements in Output Used by a Downstream Component
- CVE-2021-38399 (CVSS score: 7.5) – Relative Path Traversal
“A patch strategy has been developed for the controllers/impacted Experion PKS Versions. This patch
includes both server software and controller firmware which are both needed to mitigate the issue. Therefore,
after installing the patch onto the Experion PKS system, all controllers must be updated with the new
firmware. ” reads the blogpost.
Additional vendor has provided below guidances which can be incorporated. For example,
a customer at R501.4 would need to migrate to the R501.6 hotfix to get the fix.
HoneyWell recommends the customers to update their systems as soon as possible in order to fully reduce the risk of reported vulnerabilities.