Protect yourself against future threats.
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2024.2577
ICS Advisory | ICSA-24-116-04 Honeywell Experion PKS, Experion LX,
PlantCruise by Experion, Safety Manager, Safety Manager SC
26 April 2024
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Honeywell Experion LX
Honeywell Experion PKS
Honeywell Safety Manager
PlantCruise by Experion
Publisher: ICS-CERT
Operating System: Network Appliance
Resolution: Patch/Upgrade
CVE Names: CVE-2023-5397 CVE-2023-5396 CVE-2023-5394
CVE-2023-5393 CVE-2023-5389 CVE-2023-5390
CVE-2023-5407 CVE-2023-5392 CVE-2023-5406
CVE-2023-5405 CVE-2023-5400 CVE-2023-5404
CVE-2023-5395 CVE-2023-5401 CVE-2023-5403
CVE-2023-5398
Original Bulletin:
https://www.cisa.gov/news-events/ics-advisories/icsa-24-116-04
Comment: CVSS (Max): 8.1 CVE-2023-5401 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVSS Source: Honeywell International Inc.
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
- --------------------------BEGIN INCLUDED TEXT--------------------
ICS Advisory (ICSA-24-116-04)
Honeywell Experion PKS, Experion LX, PlantCruise by Experion, Safety Manager,
Safety Manager SC
Release Date
April 25, 2024
1. EXECUTIVE SUMMARY
o CVSS v3 9.1
o ATTENTION : Exploitable remotely/low attack complexity
o Vendor : Honeywell
o Equipment : Experion PKS, Experion LX, PlantCruise by Experion, Safety
Manager, Safety Manager SC
o Vulnerabilities : Exposed Dangerous Method or Function, Absolute Path
Traversal, Stack-based Buffer Overflow, Debug Messages Revealing
Unnecessary Information, Out-of-bounds Write, Heap-based Buffer Overflow,
Binding to an Unrestricted IP Address, Improper Input Validation, Buffer
Access with Incorrect Length Value, Improper Restriction of Operations
within the Bounds of a Memory Buffer, Improper Handling of Length Parameter
Inconsistency
2. RISK EVALUATION
Successful exploitation of these vulnerabilities could disclose sensitive
information, allow privilege escalation, or allow remote code execution.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
Honeywell reports these vulnerabilities affect the following versions of
Experion PKS, LX, PlantCruise, Safety Manager, and Safety Manager SC:
o Experion PKS: All releases prior to R510.2 HF14
o Experion PKS: All releases prior to R511.5 TCU4 HF4
o Experion PKS: All releases prior to R520.1 TCU5
o Experion PKS: All releases prior to R520.2 TCU4 HF2
o Experion LX: All releases prior to R511.5 TCU4 HF4
o Experion LX: All releases prior to R520.1 TCU5
o Experion LX: All releases prior to R520.2 TCU4 HF2
o PlantCruise by Experion: All releases prior to R511.5 TCU4 HF4
o PlantCruise by Experion: All releases prior to R520.1 TCU5
o PlantCruise by Experion: All releases prior to R520.2 TCU4 HF2
o Safety Manager: R15x, R16x up to and including R162.10
o Safety Manager SC: R210.X, R211.1, R211.2, R212.1
3.2 Vulnerability Overview
3.2.1 Exposed Dangerous Method or Function CWE-749
Successful exploitation of this vulnerability could allow an attacker to modify
files on Experion controllers or SMSC S300. This exploit could be used to write
a file that may result in unexpected behavior based on configuration changes or
updating of files that could result in subsequent execution of a malicious
application if triggered.
CVE-2023-5389 has been assigned to this vulnerability. A CVSS v3 base score of
9.1 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N
/I:H/A:H) .
A CVSS v4 score has also been calculated for CVE-2023-5389 . A base score of
8.8 has been calculated; the CVSS vector string is ( CVSS:4.0/AV:N/AC:L/AT:N/
PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N ).
3.2.2 Absolute Path Traversal CWE-36
Successful exploitation of this vulnerability could allow an attacker to read
from the Experion controllers or SMSC S300. This exploit could be used to read
files from the controller that may expose limited information from the device.
CVE-2023-5390 has been assigned to this vulnerability. A CVSS v3 base score of
5.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:L
/I:N/A:N) .
A CVSS v4 score has also been calculated for CVE-2023-5390 . A base score of
6.9 has been calculated; the CVSS vector string is ( CVSS:4.0/AV:N/AC:L/AT:N/
PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N ).
3.2.3 Stack-based Buffer Overflow CWE-121
Successful exploitation of this vulnerability against the Experion controller,
ControlEdge PLC, Safety Manager or SMSC S300 could allow an attacker to cause a
denial-of-service condition or perform a remote code execution over the network
using specially crafted messages.
CVE-2023-5407 has been assigned to this vulnerability. A CVSS v3 base score of
7.4 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:U/C:N
/I:H/A:H) .
A CVSS v4 score has also been calculated for CVE-2023-5407 . A base score of
8.3 has been calculated; the CVSS vector string is ( CVSS:4.0/AV:N/AC:L/AT:P/
PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N ).
3.2.4 Debug Messages Revealing Unnecessary Information CWE-1295
Successful exploitation of this vulnerability against the Experion controller,
ControlEdge PLC, Safety Manager or SMSC S300 could allow an attacker to extract
more information from memory over the network than is required.
CVE-2023-5392 has been assigned to this vulnerability. A CVSS v3 base score of
7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H
/I:N/A:N) .
A CVSS v4 score has also been calculated for CVE-2023-5392 . A base score of
8.7 has been calculated; the CVSS vector string is ( CVSS:4.0/AV:N/AC:L/AT:N/
PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N ).
3.2.5 Out-of-bounds Write CWE-787
Successful exploitation of this vulnerability against the Experion Servers or
Stations by manipulation messages from a controller could allow an attacker to
cause a denial-of-service condition or perform a remote code execution over the
network using specially crafted messages.
CVE-2023-5406 has been assigned to this vulnerability. A CVSS v3 base score of
5.9 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:U/C:N
/I:N/A:H) .
A CVSS v4 score has also been calculated for CVE-2023-5406 . A base score of
8.2 has been calculated; the CVSS vector string is ( CVSS:4.0/AV:N/AC:L/AT:P/
PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N ).
3.2.6 Out-of-bounds Write CWE-787
Successful exploitation of this vulnerability against the Experion Servers or
Stations could result in an information leak when an error is generated.
CVE-2023-5405 has been assigned to this vulnerability. A CVSS v3 base score of
5.9 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:L
/I:N/A:N) .
A CVSS v4 score has also been calculated for CVE-2023-5405 . A base score of
6.9 has been calculated; the CVSS vector string is ( CVSS:4.0/AV:N/AC:L/AT:N/
PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N ).
3.2.7 Heap-based Buffer Overflow CWE-122
Successful exploitation of these vulnerabilities against the Experion Servers
or Stations could allow an attacker to cause a denial-of-service condition or
perform a remote code execution over the network using specially crafted
messages.
CVE-2023-5400 and CVE-2023-5404 have been assigned to these vulnerabilities. A
CVSS v3 base score of 8.1 has been calculated; the CVSS vector string is (AV:N/
AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) .
A CVSS v4 score has also been calculated for CVE-2023-5400 and CVE-2023-5404 .
A base score of 9.2 has been calculated; the CVSS vector string is ( CVSS:4.0/
AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N ).
3.2.8 Stack-based Buffer Overflow CWE-121
Successful exploitation of these vulnerabilities against the Experion Servers
or Stations could allow an attacker to cause a denial-of-service condition or
perform a remote code execution over the network using specially crafted
messages.
CVE-2023-5395 , CVE-2023-5401 and CVE-2023-5403 have been assigned to these
vulnerabilities. A CVSS v3 base score of 8.1 has been calculated; the CVSS
vector string is (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) .
A CVSS v4 score has also been calculated for CVE-2023-5395 , CVE-2023-5401 and
CVE-2023-5403 . A base score of 9.2 has been calculated; the CVSS vector string
is ( CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N ).
3.2.9 Binding to an Unrestricted IP Address CWE-1327
Successful exploitation of this vulnerability against the Experion Servers or
Stations could allow an attacker to cause a denial-of-service condition over
the network using specially crafted messages.
CVE-2023-5398 has been assigned to this vulnerability. A CVSS v3 base score of
5.9 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:U/C:N
/I:N/A:H) .
A CVSS v4 score has also been calculated for CVE-2023-5398 . A base score of
8.2 has been calculated; the CVSS vector string is ( CVSS:4.0/AV:N/AC:L/AT:P/
PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N ).
3.2.10 Improper Input Validation CWE-20
Successful exploitation of this vulnerability against the Experion Servers or
Stations could allow an attacker to cause a denial-of-service condition or
perform a remote code execution over the network using specially crafted
messages.
CVE-2023-5397 has been assigned to this vulnerability. A CVSS v3 base score of
8.1 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:U/C:H
/I:H/A:H) .
A CVSS v4 score has also been calculated for CVE-2023-5397 . A base score of
9.2 has been calculated; the CVSS vector string is ( CVSS:4.0/AV:N/AC:L/AT:P/
PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N ).
3.2.11 Buffer Access with Incorrect Length Value CWE-805
Successful exploitation of this vulnerability against the Experion Servers or
Stations could allow an attacker to cause a denial-of-service condition or
perform a remote code execution over the network using specially crafted
messages.
CVE-2023-5396 has been assigned to this vulnerability. A CVSS v3 base score of
7.4 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:U/C:N
/I:H/A:H) .
A CVSS v4 score has also been calculated for CVE-2023-5396 . A base score of
8.3 has been calculated; the CVSS vector string is ( CVSS:4.0/AV:N/AC:L/AT:P/
PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N ).
3.2.12 Improper Restriction of Operations within the Bounds of a Memory Buffer
CWE-119
Successful exploitation of this vulnerability against the Experion Servers or
Stations could allow an attacker to cause a denial-of-service condition or
perform a remote code execution over the network using specially crafted
messages.
CVE-2023-5394 has been assigned to this vulnerability. A CVSS v3 base score of
7.4 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:U/C:N
/I:H/A:H) .
A CVSS v4 score has also been calculated for CVE-2023-5394 . A base score of
8.3 has been calculated; the CVSS vector string is ( CVSS:4.0/AV:N/AC:L/AT:P/
PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N ).
3.2.13 Improper Handling of Length Parameter Inconsistency CWE-130
Successful exploitation of this vulnerability against the Experion Servers or
Stations could allow an attacker to cause a denial-of-service condition or
perform a remote code execution over the network using specially crafted
messages.
CVE-2023-5393 has been assigned to this vulnerability. A CVSS v3 base score of
8.1 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:U/C:H
/I:H/A:H) .
A CVSS v4 score has also been calculated for CVE-2023-5393 . A base score of
9.2 has been calculated; the CVSS vector string is ( CVSS:4.0/AV:N/AC:L/AT:P/
PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N ).
3.3 BACKGROUND
o CRITICAL INFRASTRUCTURE SECTORS: Chemical, Critical Manufacturing, Energy,
Water and Wastewater Systems
o COUNTRIES/AREAS DEPLOYED: Worldwide
o COMPANY HEADQUARTERS LOCATION: United States
3.4 RESEARCHER
Claroty and Armis reported these vulnerabilities to Honeywell.
4. MITIGATIONS
Honeywell fixed the reported issues and advises users to upgrade to version
referenced in the Security Notice or CVE record.
CISA recommends users take defensive measures to minimize the risk of
exploitation of these vulnerabilities. Specifically, users should:
o Ensure the least-privilege user principle is followed.
o Minimize network exposure for all control system devices and/or systems,
and ensure they are not accessible from the Internet.
o Locate control system networks and remote devices behind firewalls and
isolate them from business networks.
o When remote access is required, use secure methods, such as virtual private
networks (VPNs), recognizing VPNs may have vulnerabilities and should be
updated to the most current version available. Also recognize VPN is only
as secure as its connected devices.
CISA recommends users take defensive measures to minimize the risk of
exploitation of these vulnerabilities. CISA reminds organizations to perform
proper impact analysis and risk assessment prior to deploying defensive
measures.
CISA also provides a section for control systems security recommended practices
on the ICS webpage on cisa.gov/ics . Several CISA products detailing cyber
defense best practices are available for reading and download, including
Improving Industrial Control Systems Cybersecurity with Defense-in-Depth
Strategies .
CISA encourages organizations to implement recommended cybersecurity strategies
for proactive defense of ICS assets .
Additional mitigation guidance and recommended practices are publicly available
on the ICS webpage at cisa.gov/ics in the technical information paper,
ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation
Strategies .
Organizations observing suspected malicious activity should follow established
internal procedures and report findings to CISA for tracking and correlation
against other incidents.
No known public exploitation specifically targeting these vulnerabilities has
been reported to CISA at this time.
5. UPDATE HISTORY
o April 25, 2024: Initial Publication
This product is provided subject to this Notification and this Privacy & Use
policy.
Vendor
Honeywell
- --------------------------END INCLUDED TEXT----------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================