Multiple Critical Flaws Discovered in Honeywell Experion PKS and ACE Controllers

Cyber Security

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday released an advisory regarding multiple security vulnerabilities affecting all versions of Honeywell Experion Process Knowledge System C200, C200E, C300, and ACE controllers that could be exploited to achieve remote code execution and denial-of-service (DoS) conditions.

“A Control Component Library (CCL) may be modified by a bad actor and loaded to a controller such that malicious code is executed by the controller,” Honeywell noted in an independent security notification published earlier this February. Credited with discovering and reporting the flaws are Rei Henigman and Nadav Erez of industrial cybersecurity firm Claroty.

Experion Process Knowledge System (PKS) is a distributed control system (DCS) that’s designed to control large industrial processes spanning a variety of sectors ranging from petrochemical refineries to nuclear power plants where high reliability and security is important.

The list of three flaws is as follows –

  • CVE-2021-38397 (CVSS score: 10.0) – Unrestricted Upload of File with Dangerous Type
  • CVE-2021-38395 (CVSS score: 9.1) – Improper Neutralization of Special Elements in Output Used by a Downstream Component
  • CVE-2021-38399 (CVSS score: 7.5) – Relative Path Traversal

According to Claroty, the issues hinge on the download code procedure that’s essential to program the logic running in the controller, thus enabling an attacker to mimic the process and upload arbitrary CLL binary files. “The device then loads the executables without performing checks or sanitization, giving an attacker the ability to upload executables and run unauthorized native code remotely without authentication,” researchers Henigman and Erez said.

In a nutshell, successful exploitation of the shortcomings could permit a malicious party to access unauthorized files and directories, and worse, remotely execute arbitrary code and cause a denial-of-service condition. To prevent loading a modified CCL with malicious code to a controller, Honeywell has incorporated additional security enhancements by cryptographically signing each CCL binary that’s validated prior to its use.

Users are urged to update or patch as soon as possible in order to mitigate these vulnerabilities fully.