On Tuesday, October 5th, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released an advisory to inform organizations about vulnerabilities in Honeywell Experion Process Knowledge System (PKS) and ACE controllers that could be exploited to achieve remote code execution and denial-of-service (DoS) conditions.
The three vulnerabilities are as follows:
- CVE-2021-28397 – (CVSS score: 10.0) – Unrestricted Upload of File with Dangerous Type
- CVE-2021-38395 – (CVSS score: 9.1) – Improper Neutralization of Special Elements in Output Used by a Downstream Component
- CVE-2021-38399 – (CVSS score: 7.5) – Relative Path Traversal
Experion Process Knowledge System (PKS) is a distributed control system (DCS) designed to control large industrial processes. Each Control Component Library (CCL) binary programmed for a controller is downloaded from the engineering station to the DCS components.
Team82 researchers from cybersecurity company Claroty found that it is possible to mimic the download code procedure and use these requests to upload arbitrary DLL/ELF files. “The device then loads the executables without performing checks or sanitization, giving an attacker the ability to upload executables and run unauthorized native code remotely without authentication,” Team82 researchers said.