Honeywell Experion PKS, Experion LX, PlantCruise by Experion, Safety Manager, Safety Manager SC

2024-04-25 14:00 (CEST) US CERT (ICS)

Honeywell Experion PKS, Experion LX, PlantCruise by Experion, Safety Manager, Safety Manager SC

View CSAF
1. EXECUTIVE SUMMARY

CVSS v3 9.1
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Honeywell
Equipment: Experion PKS, Experion LX, PlantCruise by Experion, Safety Manager, Safety Manager SC
Vulnerabilities: Exposed Dangerous Method or Function, Absolute Path Traversal, Stack-based Buffer Overflow, Debug Messages Revealing Unnecessary Information, Out-of-bounds Write, Heap-based Buffer Overflow, Binding to an Unrestricted IP Address, Improper Input Validation, Buffer Access with Incorrect Length Value, Improper Restriction of Operations within the Bounds of a Memory Buffer, Improper Handling of Length Parameter Inconsistency

2. RISK EVALUATION
Successful exploitation of these vulnerabilities could disclose sensitive information, allow privilege escalation, or allow remote code execution.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
Honeywell reports these vulnerabilities affect the following versions of Experion PKS, LX, PlantCruise, Safety Manager, and Safety Manager SC:

Experion PKS: All releases prior to R510.2 HF14
Experion PKS: All releases prior to R511.5 TCU4 HF4
Experion PKS: All releases prior to R520.1 TCU5
Experion PKS: All releases prior to R520.2 TCU4 HF2
Experion LX: All releases prior to R511.5 TCU4 HF4
Experion LX: All releases prior to R520.1 TCU5
Experion LX: All releases prior to R520.2 TCU4 HF2
PlantCruise by Experion: All releases prior to R511.5 TCU4 HF4
PlantCruise by Experion: All releases prior to R520.1 TCU5
PlantCruise by Experion: All releases prior to R520.2 TCU4 HF2
Safety Manager: R15x, R16x up to and including R162.10
Safety Manager SC: R210.X, R211.1, R211.2, R212.1

3.2 Vulnerability Overview
3.2.1 Exposed Dangerous Method or Function CWE-749
Successful exploitation of this vulnerability could allow an attacker to modify files on Experion controllers or SMSC S300. This exploit could be used to write a file that may result in unexpected behavior based on configuration changes or updating of files that could result in subsequent execution of a malicious application if triggered.
CVE-2023-5389 has been assigned to this vulnerability. A CVSS v3 base score of 9.1 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2023-5389. A base score of 8.8 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N).
3.2.2 Absolute Path Traversal CWE-36
Successful exploitation of this vulnerability could allow an attacker to read from the Experion controllers or SMSC S300. This exploit could be used to read files from the controller that may expose limited information from the device.
CVE-2023-5390 has been assigned to this vulnerability. A CVSS v3 base score of 5.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).
A CVSS v4 score has also been calculated for CVE-2023-5390. A base score of 6.9 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N).
3.2.3 Stack-based Buffer Overflow CWE-121
Successful exploitation of this vulnerability against the Experion controller, ControlEdge PLC, Safety Manager or SMSC S300 could allow an attacker to cause a denial-of-service condition or perform a remote code execution over the network using specially crafted messages.
CVE-2023-5407 has been assigned to this vulnerability. A CVSS v3 base score of 7.4 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2023-5407. A base score of 8.3 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N).
3.2.4 Debug Messages Revealing Unnecessary Information CWE-1295
Successful exploitation of this vulnerability against the Experion controller, ControlEdge PLC, Safety Manager or SMSC S300 could allow an attacker to extract more information from memory over the network than is required.
CVE-2023-5392 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
A CVSS v4 score has also been calculated for CVE-2023-5392. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).
3.2.5 Out-of-bounds Write CWE-787
Successful exploitation of this vulnerability against the Experion Servers or Stations by manipulation messages from a controller could allow an attacker to cause a denial-of-service condition or perform a remote code execution over the network using specially crafted messages.
CVE-2023-5406 has been assigned to this vulnerability. A CVSS v3 base score of 5.9 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H).
A CVSS v4 score has also been calculated for CVE-2023-5406. A base score of 8.2 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).
3.2.6 Out-of-bounds Write CWE-787
Successful exploitation of this vulnerability against the Experion Servers or Stations could result in an information leak when an error is generated.
CVE-2023-5405 has been assigned to this vulnerability. A CVSS v3 base score of 5.9 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).
A CVSS v4 score has also been calculated for CVE-2023-5405. A base score of 6.9 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N).
3.2.7 Heap-based Buffer Overflow CWE-122
Successful exploitation of these vulnerabilities against the Experion Servers or Stations could allow an attacker to cause a denial-of-service condition or perform a remote code execution over the network using specially crafted messages.
CVE-2023-5400 and CVE-2023-5404 have been assigned to these vulnerabilities. A CVSS v3 base score of 8.1 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2023-5400 and CVE-2023-5404. A base score of 9.2 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).
3.2.8 Stack-based Buffer Overflow CWE-121
Successful exploitation of these vulnerabilities against the Experion Servers or Stations could allow an attacker to cause a denial-of-service condition or perform a remote code execution over the network using specially crafted messages.
CVE-2023-5395, CVE-2023-5401 and CVE-2023-5403 have been assigned to these vulnerabilities. A CVSS v3 base score of 8.1 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2023-5395, CVE-2023-5401 and CVE-2023-5403. A base score of 9.2 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).
3.2.9 Binding to an Unrestricted IP Address CWE-1327
Successful exploitation of this vulnerability against the Experion Servers or Stations could allow an attacker to cause a denial-of-service condition over the network using specially crafted messages.
CVE-2023-5398 has been assigned to this vulnerability. A CVSS v3 base score of 5.9 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H).
A CVSS v4 score has also been calculated for CVE-2023-5398. A base score of 8.2 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).
3.2.10 Improper Input Validation CWE-20
Successful exploitation of this vulnerability against the Experion Servers or Stations could allow an attacker to cause a denial-of-service condition or perform a remote code execution over the network using specially crafted messages.
CVE-2023-5397 has been assigned to this vulnerability. A CVSS v3 base score of 8.1 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2023-5397. A base score of 9.2 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).
3.2.11 Buffer Access with Incorrect Length Value CWE-805
Successful exploitation of this vulnerability against the Experion Servers or Stations could allow an attacker to cause a denial-of-service condition or perform a remote code execution over the network using specially crafted messages.
CVE-2023-5396 has been assigned to this vulnerability. A CVSS v3 base score of 7.4 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2023-5396. A base score of 8.3 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N).
3.2.12 Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-119
Successful exploitation of this vulnerability against the Experion Servers or Stations could allow an attacker to cause a denial-of-service condition or perform a remote code execution over the network using specially crafted messages.
CVE-2023-5394 has been assigned to this vulnerability. A CVSS v3 base score of 7.4 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2023-5394. A base score of 8.3 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N).
3.2.13 Improper Handling of Length Parameter Inconsistency CWE-130
Successful exploitation of this vulnerability against the Experion Servers or Stations could allow an attacker to cause a denial-of-service condition or perform a remote code execution over the network using specially crafted messages.
CVE-2023-5393 has been assigned to this vulnerability. A CVSS v3 base score of 8.1 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2023-5393. A base score of 9.2 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).
3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Chemical, Critical Manufacturing, Energy, Water and Wastewater Systems
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER
Claroty and Armis reported these vulnerabilities to Honeywell.
4. MITIGATIONS
Honeywell fixed the reported issues and advises users to upgrade to version referenced in the Security Notice or CVE record.CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should:

Ensure the least-privilege user principle is followed.
Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.
Locate control system networks and remote devices behind firewalls and isolate them from business networks.
When remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.
5. UPDATE HISTORY

April 25, 2024: Initial Publication

https://www.cisa.gov/news-events/ics-advisories/icsa-24-116-04