On Tuesday, October 5th, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released an advisory to inform organizations about vulnerabilities in Honeywell Experion Process Knowledge System (PKS) and ACE controllers that could be exploited to achieve remote code execution and denial-of-service (DoS) conditions.
The three vulnerabilities are as follows:
- CVE-2021-28397 – (CVSS score: 10.0) – Unrestricted Upload of File with Dangerous Type
- CVE-2021-38395 – (CVSS score: 9.1) – Improper Neutralization of Special Elements in Output Used by a Downstream Component
- CVE-2021-38399 – (CVSS score: 7.5) – Relative Path Traversal
Experion Process Knowledge System (PKS) is a distributed control system (DCS) designed to control large industrial processes. Each Control Component Library (CCL) binary programmed for a controller is downloaded from the engineering station to the DCS components.
Team82 researchers from cybersecurity company Claroty found that it is possible to mimic the download code procedure and use these requests to upload arbitrary DLL/ELF files. “The device then loads the executables without performing checks or sanitization, giving an attacker the ability to upload executables and run unauthorized native code remotely without authentication,” Team82 researchers said.
Honeywell said the vulnerabilities impact its C200, C200E, C300 and ACE controllers. They have incorporated additional security enhancements by cryptographically signing each valid CCL binary prior to its use. Minimizing network exposure for all control system devices and/or systems and ensuring that they are not accessible from the Internet can minimize the risk of organizations falling victim to these vulnerabilities. Users are also urged to update as soon as possible. Honeywell said the ACE and C200 controllers will not receive patches, but mitigations are available.