Armis researchers find nine vulnerabilities in Honeywell Experion platforms for distributed control systems

Armis and Honeywell reveal presence of nine Crit.IX vulnerabilities in Honeywell Experion DCS platforms, potentially enabling unauthorized remote code execution. Detected by Armis researchers, these security loopholes if exploited would allow an attacker to take over the devices and alter the operation of the DCS (distributed control system) controller, whilst hiding the alterations from the engineering workstation that manages the DCS controller. 

“Our research revealed weak points in the CDA protocol – a proprietary protocol designed by Honeywell that is used to communicate between Honeywell Experion Servers and C300 controllers,” Tom Gol, Armis’ CTO for Research, wrote in a Thursday blog post. “This protocol lacks encryption and proper authentication mechanisms in legacy. As a result, anyone with access to the network is able to impersonate both the controller and the server. In addition, there are design flaws in the CDA protocol which make it hard to control the boundaries of the data and can lead to buffer overflows,” he added.

Gol highlights that exploitation of these vulnerabilities does not require authentication, only network access to the targeted devices, as potentially any compromised IT, IoT, and OT (operational technology) assets on the same network as the DCS devices could be leveraged for an attack. This could result in anything from production stalls, to full-on sabotage and even acts of cyber warfare. The DCS is a digital automated industrial control system (ICS) that uses geographically distributed control loops throughout a factory, machine, or control area. 

He also confirmed that the newly discovered vulnerabilities affect a variety of products across a range of versions in three Honeywell Experion DCS platforms. “In the Experion Process Knowledge System (EPKS) platform (Experion Server and Experion Station). In LX and PlantCruise platforms (Engineering Station and Direct Station). In addition, the vulnerabilities affect the C300 DCS Controller, used across all three platforms.”

Honeywell has made available security patches and strongly advises affected organizations to promptly apply them.

The post added that Honeywell also implements a CDA Data Client Named Access protocol on the Experion server, which is used to communicate between Honeywell Experion server and Experion applications allowing for tag name access by these applications. Honeywell’s implementation of this protocol was found to contain four vulnerabilities that allow remote code execution (RCE) on the Experion server.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) published Thursday an ICS cybersecurity advisory covering Honeywell’s Experion PKS, LX, and PlantCruise equipment. The notice revealed the presence of several hardware vulnerabilities including heap-based buffer overflow, stack-based buffer overflow, out-of-bounds write, uncontrolled resource consumption, improper encoding or escaping of output, deserialization of untrusted data, improper input validation, and incorrect comparison. 

Honeywell reports vulnerabilities in Experion PKS, LX, and PlantCruise, affecting versions prior to R520.2. Deployed globally across multiple critical infrastructure sectors, with a CVSS v3 9.8, CISA said that ‘Successful exploitation of these vulnerabilities could cause a denial-of-service condition, allow privilege escalation or allow remote code execution.’ Armis cyber researchers reported these vulnerabilities to Honeywell.

Honeywell recommends users upgrade Experion Platforms to version R520.2, CISA added. “Honeywell advises users to follow security best practices for Experion platform environments to ensure access is limited to authorized users only. Users should ensure the backup files are maintained in a network location or physical drive with access limited to authorized users only and should not share them.”

Gol highlights a steady increase in attacks and vulnerabilities on OT targets, highlighting the risks faced by critical infrastructure systems.

One significant example was the attack on an Iranian steel mill, which was reportedly carried out by the ‘Predatory Sparrow’ hacktivist group back in June 2022, according to Gol. The group stated that it caused a serious fire within the facility and even released a video that appeared to be CCTV footage, showing workers evacuating an area of the plant before a machine began emitting molten steel and fire. The attack is significant due to its rarity in causing physical damage, as most cyber attacks typically occur in the digital realm.

Gol also pointed to another high-profile incident involving the Colonial Pipeline, one of the largest fuel pipelines in the United States. “In May 2021, the pipeline suffered a ransomware attack that disrupted fuel supplies along the East Coast. The attack exploited vulnerabilities in the pipeline’s IT network, causing operational disruptions and triggering fuel shortages in various states. This event highlighted the interconnectedness between IT and OT systems and emphasized the need for robust cybersecurity measures across all aspects of critical infrastructure.”

Evidently, the growing threat landscape calls for bolstering defenses, implementing robust security measures, and promoting collaboration to safeguard critical OT systems from potential attacks and vulnerabilities. 

Gol said that ICS vulnerabilities pose a significant risk to critical infrastructure, including power plants, manufacturing facilities, and oil refineries. “Responsible vulnerability disclosure plays a crucial role in ensuring the protection of these systems from potential attacks and minimizing the impact on public safety and operational continuity.”

The post confirmed that during the disclosure process, the researchers learned that “due to reuse of the vulnerable code in other products, the vulnerabilities also affect Honeywell’s LX and PlantCruise platforms.”

Last May, Armis confirmed with Honeywell the discovery of 13 code issues found within the Experion C300 controller and server. These roll into nine new vulnerabilities, seven of them deemed critical. “Due to the severity of these vulnerabilities and the impact, Honeywell and Armis have been working together to investigate these findings, understand the underlying issues, and work towards a patch. Honeywell has made available security patches and strongly advises all affected customers to patch immediately,” the post added.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.