Claroty’s Team82 exposes critical vulnerabilities in Honeywell’s ControlEdge UOC’s EpicMo protocol

Claroty’s Team82 researchers uncovered vulnerabilities in the EpicMo protocol implementation within Honeywell’s ControlEdge Virtual Unit Operations Center (UOC). These vulnerabilities, found in instances of ControlEdge Virtual UOC, are exploitable and pose a risk of unauthenticated remote code execution. The identified vulnerabilities are located within the EpicMo protocol (TCP port 55565), a proprietary communication protocol developed by Honeywell for interactions between Honeywell Experion servers and controllers.

Team82 privately disclosed these vulnerabilities, CVE-2023-5389 and CVE-2023-5390, to Honeywell, which has addressed them in an update. Honeywell has updated Virtual UOC and users are urged to move to current versions. The U.S. Cybersecurity Infrastructure & Security Agency (CISA) has published an advisory for CVE-2023-5389 (CVSS v3 score: 9.1) and CVE-2023-5390 (5.3). Honeywell has also published an advisory.

CISA said that exploitation of these vulnerabilities could disclose sensitive information, allow privilege escalation, or allow remote code execution. “Successful exploitation of this vulnerability could allow an attacker to modify files on Experion controllers or SMSC S300. This exploit could be used to write a file that may result in unexpected behavior based on configuration changes or updating of files that could result in subsequent execution of a malicious application if triggered,” it added.

The researchers detailed in a blog post that the EpicMo protocol “contained an undocumented and dangerous function that enabled us to write files on Virtual UOC controllers without sanitation, which exposed the devices to the execution of unauthorized code. An attacker already on an OT network would use a malicious network packet to exploit this vulnerability and compromise the virtual controller. This attack could be carried out remotely in order to modify files, resulting in full control of the controller and the execution of malicious code.”

“While researching the EpicMo protocol we discovered that the Virtual UOC implements different EpicMo function codes than the C300 controller,” the researchers added. “Two commands that caught our attention are ‘LoadFileFromModule’ and ‘LoadFileToModule.’ After researching these functions, we came to the conclusion that they enable arbitrary file-write and file-read to the virtual controller.”

The researchers found that LoadFileToModule allows users to write files to the controller. “One of the parameters this function receives is a Destination_Path, which is the path the given file will be written to. We discovered that this functionality allows users to supply an arbitrary path and data, and no validation or limitation exists on the given path. This means users can write files to all writeable locations on the controller, which is a security concern.” 

They added that by leveraging this functionality, attackers could achieve remote code execution on the controller, by writing executable files, for example. “In order to upload a file using the LoadFileToModule function code, we need to send at least three packets (start write, write data, finish write). Each packet starts with the regular EpicMo header.”

The researchers also pointed out that the maximum length of the file data in a data command is ‘0x7F.’ “If the data length is more than 0x7F it will be split into multiple packets where Upload Packet Number is updated accordingly.”

The Honeywell Control Edge Unit Operations Controller (UOC) is a modular physical controller that expands the Experion control DCS environment. Equipped with fault-tolerant Ethernet, Modbus TCP, and EtherNet/IP capabilities, the ControlEdge UOC offers robust communication options. Additionally, the UOC is available as a virtual controller, providing flexibility and reducing the hardware footprint for enterprises. This virtual solution operates as a Linux-based virtual machine, enabling installation in a virtual environment for enhanced efficiency and scalability.

The researchers detailed that the Honeywell controllers use multiple protocols for communications. “A service called ‘NameServer’ is responsible for routing and opening communications for all protocols. In order to start communication over a specific protocol, we first need to send a UDP message to the NameServer service (over UDP port 12321) specifying which protocol that will be used. After sending the UDP initialization message, one can start communicating over TCP. Each session starts with a TCP initialization message specifying the protocol again,” they added. 

Team82 identified that to demonstrate how an attacker might leverage this vulnerability to achieve remote code execution, they searched for writeable locations on the virtual controller. However, a few limitations exist on files uploaded using LoadFileToModule that do not have the UNIX execute attribute. Also, all files that are mounted to /usr/honeywell are mounted as read-only and this directory is not writeable.

“We eventually decided to overwrite a system .so file; .so files do not need to have the execute attribute, and we can create a shared object that will execute our code when it is loaded,” the researchers detailed. “We chose /lib/libcap.so.2 as the shared object we overwrite since it is loaded at startup, but overwriting it does not affect the runtime in any major way and enables stable pre-auth RCE.”

Team82 detailed that proprietary protocols such as Honeywell’s EpicMo used for communication between Honeywell Experion servers and controllers often contain vulnerabilities that can put industrial processes at risk for manipulation or disruption. 

“We found mechanisms with a function that enables possible remote code execution by writing files on Virtual UOC controllers without sanitization,” the post added.

Furthermore, the researchers “found an undocumented and dangerous function that enabled us to write files on Virtual UOC controllers without sanitation. An attacker on the OT network could send malicious packets to the controller and write files without authenticating to the controller.” 

Last week, Claroty disclosed that 68 percent of federal OT (operational technology) administrators and managers reported experiencing an OT cyber-incident in the past year, while 90 percent of federal OT leaders say their agency has prioritized OT cybersecurity in the past two years. However, only approximately half felt confident they could detect or mitigate a threat today.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.