The Cybersecurity and Infrastructure Security Agency (CISA) announced Tuesday the presence of security flaws in Honeywell Experion Process Knowledge System (PKS) C200, C200E, C300 and ACE controllers. The vulnerabilities include unrestricted upload of file with dangerous type, relative path traversal, and improper neutralization of special elements in output used by a downstream component.
Exploitation of these vulnerabilities could lead to remote code execution and denial-of-service conditions, CISA said in its advisory.
The research team at Claroty’s Team82 reported these vulnerabilities to Honeywell International. The team also found that the vulnerabilities could allow an attacker to modify a Control Component Library (CCL) and load it to a controller, which would then execute malicious code, while denial-of-service attacks were also possible. The attacker could use the vulnerabilities to execute native code on the system, modify process values, or disrupt critical processes.
A Control Component Library (CCL) is a library of control components that is loaded to a controller to perform specific functions. Claroty found that in some cases CCL files that are sent to end devices get instantly executed, without performing security checks such as signature checking. The protocol does not require authentication, which would prevent unauthorized users from performing download actions. Therefore, any attacker might use this library download functionality to remotely execute code without authentication. To do this, an attacker can download a DLL/ELF of his choice to the controller/simulator using the protocol, and it will be instantly executed on the end device, it added.
Used in the critical manufacturing sector, the Honeywell Experion PKS is an automation platform that integrates data from controllers, providing a centralized view of a plant-wide processes, wrote Rei Henigman and Nadav Erez, the Claroty researchers who reported the vulnerabilities to CISA. “The system primarily uses C200, C300 and ACE controllers, which may be programmed through Experion PKS Configuration Studio, Honeywell’s engineering workstation software. The logic, developed as block diagrams, can then be downloaded from the engineering workstation to the different components in the DCS,” they added.
Honeywell Experion PKS controllers and simulators communicate with the Experion PKS Configuration Studio engineering software for programming purposes over TCP ports 55553 and 55555, according to a Claroty blog post. These ports are used to communicate with the Experion PKS Configuration Studio software suite using a proprietary Honeywell engineering protocol. One of the applications within this suite is the Honeywell Experion Control Builder (contbldr.exe), which is responsible for programming the logic running in the controller.
As with every SCADA/DCS controller, it is possible to change current logic by performing a download code procedure. As part of this mechanism, the Honeywell Experion Control Builder software transfers compiled logic to the device and then executes it, Henigman and Erez wrote in the post. The logic is compiled to the controller’s CPU machine code (e.g. x86 bytecode), which may present a security risk. Usually, a sandbox or some other type of security control is in place that prevents native code execution. In this case, the Experion PKS lacks a sandbox, memory protection, or other restrictions on malicious code before it is executed.
Sandboxes, for example, are crucial cybersecurity controls, especially in the ICS domain; executables are executed in an isolated area which restricts its capabilities, such as accessing system resources, to a bare minimum. They are a critical tool to keep untested or untrusted code from affecting processes, and in limiting the spread of malware and exploits targeting known and unknown vulnerabilities.
In the case of the Experion PKS, Team82 found that it is possible to mimic the download code procedure and use these requests to upload arbitrary DLL/ELF files (for simulators and controllers, respectively). The device then loads the executables without performing checks or sanitization, giving an attacker the ability to upload executables and run unauthorized native code remotely without authentication.
Generally, ports 55553 and 55555 are not exposed to the internet. An attacker would have to find another way to gain a foothold on the OT network in order to attack these vulnerabilities. In such a scenario, the two vulnerabilities discovered by Team82 could be leveraged to execute native code without restrictions. With such access to a DCS, an attacker could seriously disrupt operations by modifying process values, or use the DCS as a base for launching further attacks on the network using malware or exploits.
Honeywell addressed these vulnerabilities earlier this year in a number of updates and patches. All Experion PKS customers using the affected controllers in their environments, regardless of whether they use CCLs, are affected. An attacker already on the network can impact processes by loading a modified CCL with malicious code to a controller that would execute the attacker’s code.
To address the flaws, Honeywell has added cryptographic signing to CCLs to ensure they have not been tampered with. Each CCL binary now has an associated cryptographic signature that is sent to the controller when the CCL is loaded; that signature is validated before the CCL is used, Honeywell said in its advisory.
Honeywell has made patches available for affected Experion PKS versions, including server software patches and fixes for the controller firmware. Both must be applied in order to fully mitigate these vulnerabilities. Hotfixes have either been released or will be released for versions R510.2 (Hotfix10, released) and R501.6. Version R511.5 also addresses all of these vulnerabilities. No patches are available for other Experion releases, and those users are urged to migrate to the latest point release.
Last month, new research identified the existence of chain vulnerabilities on network management systems used in various IT, IoT, and OT networks, such as Nagios Core monitoring software. Claroty Team82’s team detected among other things remote code execution with root privileges, privilege escalation, and credential theft security loopholes, and privately disclosed 11 vulnerabilities in Nagios components, all of which were fixed in updates released in August.