Protect yourself against future threats.
=========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2024.2577 ICS Advisory | ICSA-24-116-04 Honeywell Experion PKS, Experion LX, PlantCruise by Experion, Safety Manager, Safety Manager SC 26 April 2024 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Honeywell Experion LX Honeywell Experion PKS Honeywell Safety Manager PlantCruise by Experion Publisher: ICS-CERT Operating System: Network Appliance Resolution: Patch/Upgrade CVE Names: CVE-2023-5397 CVE-2023-5396 CVE-2023-5394 CVE-2023-5393 CVE-2023-5389 CVE-2023-5390 CVE-2023-5407 CVE-2023-5392 CVE-2023-5406 CVE-2023-5405 CVE-2023-5400 CVE-2023-5404 CVE-2023-5395 CVE-2023-5401 CVE-2023-5403 CVE-2023-5398 Original Bulletin: https://www.cisa.gov/news-events/ics-advisories/icsa-24-116-04 Comment: CVSS (Max): 8.1 CVE-2023-5401 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) CVSS Source: Honeywell International Inc. Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- ICS Advisory (ICSA-24-116-04) Honeywell Experion PKS, Experion LX, PlantCruise by Experion, Safety Manager, Safety Manager SC Release Date April 25, 2024 1. EXECUTIVE SUMMARY o CVSS v3 9.1 o ATTENTION : Exploitable remotely/low attack complexity o Vendor : Honeywell o Equipment : Experion PKS, Experion LX, PlantCruise by Experion, Safety Manager, Safety Manager SC o Vulnerabilities : Exposed Dangerous Method or Function, Absolute Path Traversal, Stack-based Buffer Overflow, Debug Messages Revealing Unnecessary Information, Out-of-bounds Write, Heap-based Buffer Overflow, Binding to an Unrestricted IP Address, Improper Input Validation, Buffer Access with Incorrect Length Value, Improper Restriction of Operations within the Bounds of a Memory Buffer, Improper Handling of Length Parameter Inconsistency 2. RISK EVALUATION Successful exploitation of these vulnerabilities could disclose sensitive information, allow privilege escalation, or allow remote code execution. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS Honeywell reports these vulnerabilities affect the following versions of Experion PKS, LX, PlantCruise, Safety Manager, and Safety Manager SC: o Experion PKS: All releases prior to R510.2 HF14 o Experion PKS: All releases prior to R511.5 TCU4 HF4 o Experion PKS: All releases prior to R520.1 TCU5 o Experion PKS: All releases prior to R520.2 TCU4 HF2 o Experion LX: All releases prior to R511.5 TCU4 HF4 o Experion LX: All releases prior to R520.1 TCU5 o Experion LX: All releases prior to R520.2 TCU4 HF2 o PlantCruise by Experion: All releases prior to R511.5 TCU4 HF4 o PlantCruise by Experion: All releases prior to R520.1 TCU5 o PlantCruise by Experion: All releases prior to R520.2 TCU4 HF2 o Safety Manager: R15x, R16x up to and including R162.10 o Safety Manager SC: R210.X, R211.1, R211.2, R212.1 3.2 Vulnerability Overview 3.2.1 Exposed Dangerous Method or Function CWE-749 Successful exploitation of this vulnerability could allow an attacker to modify files on Experion controllers or SMSC S300. This exploit could be used to write a file that may result in unexpected behavior based on configuration changes or updating of files that could result in subsequent execution of a malicious application if triggered. CVE-2023-5389 has been assigned to this vulnerability. A CVSS v3 base score of 9.1 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N /I:H/A:H) . A CVSS v4 score has also been calculated for CVE-2023-5389 . A base score of 8.8 has been calculated; the CVSS vector string is ( CVSS:4.0/AV:N/AC:L/AT:N/ PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N ). 3.2.2 Absolute Path Traversal CWE-36 Successful exploitation of this vulnerability could allow an attacker to read from the Experion controllers or SMSC S300. This exploit could be used to read files from the controller that may expose limited information from the device. CVE-2023-5390 has been assigned to this vulnerability. A CVSS v3 base score of 5.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:L /I:N/A:N) . A CVSS v4 score has also been calculated for CVE-2023-5390 . A base score of 6.9 has been calculated; the CVSS vector string is ( CVSS:4.0/AV:N/AC:L/AT:N/ PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N ). 3.2.3 Stack-based Buffer Overflow CWE-121 Successful exploitation of this vulnerability against the Experion controller, ControlEdge PLC, Safety Manager or SMSC S300 could allow an attacker to cause a denial-of-service condition or perform a remote code execution over the network using specially crafted messages. CVE-2023-5407 has been assigned to this vulnerability. A CVSS v3 base score of 7.4 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:U/C:N /I:H/A:H) . A CVSS v4 score has also been calculated for CVE-2023-5407 . A base score of 8.3 has been calculated; the CVSS vector string is ( CVSS:4.0/AV:N/AC:L/AT:P/ PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N ). 3.2.4 Debug Messages Revealing Unnecessary Information CWE-1295 Successful exploitation of this vulnerability against the Experion controller, ControlEdge PLC, Safety Manager or SMSC S300 could allow an attacker to extract more information from memory over the network than is required. CVE-2023-5392 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H /I:N/A:N) . A CVSS v4 score has also been calculated for CVE-2023-5392 . A base score of 8.7 has been calculated; the CVSS vector string is ( CVSS:4.0/AV:N/AC:L/AT:N/ PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N ). 3.2.5 Out-of-bounds Write CWE-787 Successful exploitation of this vulnerability against the Experion Servers or Stations by manipulation messages from a controller could allow an attacker to cause a denial-of-service condition or perform a remote code execution over the network using specially crafted messages. CVE-2023-5406 has been assigned to this vulnerability. A CVSS v3 base score of 5.9 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:U/C:N /I:N/A:H) . A CVSS v4 score has also been calculated for CVE-2023-5406 . A base score of 8.2 has been calculated; the CVSS vector string is ( CVSS:4.0/AV:N/AC:L/AT:P/ PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N ). 3.2.6 Out-of-bounds Write CWE-787 Successful exploitation of this vulnerability against the Experion Servers or Stations could result in an information leak when an error is generated. CVE-2023-5405 has been assigned to this vulnerability. A CVSS v3 base score of 5.9 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:L /I:N/A:N) . A CVSS v4 score has also been calculated for CVE-2023-5405 . A base score of 6.9 has been calculated; the CVSS vector string is ( CVSS:4.0/AV:N/AC:L/AT:N/ PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N ). 3.2.7 Heap-based Buffer Overflow CWE-122 Successful exploitation of these vulnerabilities against the Experion Servers or Stations could allow an attacker to cause a denial-of-service condition or perform a remote code execution over the network using specially crafted messages. CVE-2023-5400 and CVE-2023-5404 have been assigned to these vulnerabilities. A CVSS v3 base score of 8.1 has been calculated; the CVSS vector string is (AV:N/ AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) . A CVSS v4 score has also been calculated for CVE-2023-5400 and CVE-2023-5404 . A base score of 9.2 has been calculated; the CVSS vector string is ( CVSS:4.0/ AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N ). 3.2.8 Stack-based Buffer Overflow CWE-121 Successful exploitation of these vulnerabilities against the Experion Servers or Stations could allow an attacker to cause a denial-of-service condition or perform a remote code execution over the network using specially crafted messages. CVE-2023-5395 , CVE-2023-5401 and CVE-2023-5403 have been assigned to these vulnerabilities. A CVSS v3 base score of 8.1 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) . A CVSS v4 score has also been calculated for CVE-2023-5395 , CVE-2023-5401 and CVE-2023-5403 . A base score of 9.2 has been calculated; the CVSS vector string is ( CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N ). 3.2.9 Binding to an Unrestricted IP Address CWE-1327 Successful exploitation of this vulnerability against the Experion Servers or Stations could allow an attacker to cause a denial-of-service condition over the network using specially crafted messages. CVE-2023-5398 has been assigned to this vulnerability. A CVSS v3 base score of 5.9 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:U/C:N /I:N/A:H) . A CVSS v4 score has also been calculated for CVE-2023-5398 . A base score of 8.2 has been calculated; the CVSS vector string is ( CVSS:4.0/AV:N/AC:L/AT:P/ PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N ). 3.2.10 Improper Input Validation CWE-20 Successful exploitation of this vulnerability against the Experion Servers or Stations could allow an attacker to cause a denial-of-service condition or perform a remote code execution over the network using specially crafted messages. CVE-2023-5397 has been assigned to this vulnerability. A CVSS v3 base score of 8.1 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:U/C:H /I:H/A:H) . A CVSS v4 score has also been calculated for CVE-2023-5397 . A base score of 9.2 has been calculated; the CVSS vector string is ( CVSS:4.0/AV:N/AC:L/AT:P/ PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N ). 3.2.11 Buffer Access with Incorrect Length Value CWE-805 Successful exploitation of this vulnerability against the Experion Servers or Stations could allow an attacker to cause a denial-of-service condition or perform a remote code execution over the network using specially crafted messages. CVE-2023-5396 has been assigned to this vulnerability. A CVSS v3 base score of 7.4 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:U/C:N /I:H/A:H) . A CVSS v4 score has also been calculated for CVE-2023-5396 . A base score of 8.3 has been calculated; the CVSS vector string is ( CVSS:4.0/AV:N/AC:L/AT:P/ PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N ). 3.2.12 Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-119 Successful exploitation of this vulnerability against the Experion Servers or Stations could allow an attacker to cause a denial-of-service condition or perform a remote code execution over the network using specially crafted messages. CVE-2023-5394 has been assigned to this vulnerability. A CVSS v3 base score of 7.4 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:U/C:N /I:H/A:H) . A CVSS v4 score has also been calculated for CVE-2023-5394 . A base score of 8.3 has been calculated; the CVSS vector string is ( CVSS:4.0/AV:N/AC:L/AT:P/ PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N ). 3.2.13 Improper Handling of Length Parameter Inconsistency CWE-130 Successful exploitation of this vulnerability against the Experion Servers or Stations could allow an attacker to cause a denial-of-service condition or perform a remote code execution over the network using specially crafted messages. CVE-2023-5393 has been assigned to this vulnerability. A CVSS v3 base score of 8.1 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:U/C:H /I:H/A:H) . A CVSS v4 score has also been calculated for CVE-2023-5393 . A base score of 9.2 has been calculated; the CVSS vector string is ( CVSS:4.0/AV:N/AC:L/AT:P/ PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N ). 3.3 BACKGROUND o CRITICAL INFRASTRUCTURE SECTORS: Chemical, Critical Manufacturing, Energy, Water and Wastewater Systems o COUNTRIES/AREAS DEPLOYED: Worldwide o COMPANY HEADQUARTERS LOCATION: United States 3.4 RESEARCHER Claroty and Armis reported these vulnerabilities to Honeywell. 4. MITIGATIONS Honeywell fixed the reported issues and advises users to upgrade to version referenced in the Security Notice or CVE record. CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should: o Ensure the least-privilege user principle is followed. o Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet. o Locate control system networks and remote devices behind firewalls and isolate them from business networks. o When remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices. CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics . Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies . CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets . Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies . Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. 5. UPDATE HISTORY o April 25, 2024: Initial Publication This product is provided subject to this Notification and this Privacy & Use policy. Vendor Honeywell - --------------------------END INCLUDED TEXT---------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. ===========================================================================