Honeywell released a firmware update to patch two vulnerabilities in the NOTI-FIRE-NET Web Server (NWS-3) product. One of the vulnerabilities, identified as CVE-2020-6972, allows an attacker to bypass the authentication system to gain access to the administration dashboard and control the alarm system, all without a password. The other vulnerability (CVE-2020-6974) allows an unauthenticated attacker to download a backup database file that contains usernames and password hashes. The US Department of Homeland Security released an advisory that rated the vulnerabilities as critical and urged organizations to apply the patch or to isolate the web interface for the fire alarm server behind a virtual private network (VPN) to protect it from external exploitation attempts. Researchers found some vulnerable Honeywell NWS-3 systems were directly accessible on the Internet.
Analyst Notes
Organizations that use Honeywell NWS-3 fire alarm servers should update to firmware 4.51. All critical servers, especially those with web-based administration interfaces, should be isolated from the Internet to prevent attackers from probing for vulnerabilities. If administrators need remote access, critical systems should be protected by first requiring connection to a corporate VPN that uses multi-factor authentication and client certificates. Servers and workstations should be monitored for patterns of unusual access that may indicate an intrusion. Collecting server logs to a central repository and processing in a Security Information and Event Management (SIEM) monitored by a Security Operations Center (SOC) are important elements of a defense-in-depth strategy.
For more information, please see:
https://www.securityweek.com/vulnerabilities-allow-hackers-access-honeywell-fire-alarm-systems and https://www.us-cert.gov/ics/advisories/icsa-20-051-03
