Claroty’s Team82 researchers have disclosed three vulnerabilities in Honeywell’s Experion Process Knowledge System (PKS) distributed control system (DCS). The vulnerabilities could allow an attacker to modify a Control Component Library (CCL) and load it to a controller, which would then execute malicious code. Denial-of-service attacks are also possible.
The vulnerabilities affect all versions of the C200, C200E, C300, and ACE controllers and simulators. An attacker could use the vulnerabilities to execute native code on the system, modify process values, or disrupt critical processes.
Honeywell has addressed these vulnerabilities and issued an advisory. Users are urged to update or patch affected systems as soon as possible.
ICS-CERT published an advisory today, and rated the vulnerabilities collectively, a 10.0, the highest criticality CVSS score.
Background
Distributed control systems (DCS) are complex systems designed to control large industrial processes, comprising multiple controllers, I/O devices, and human-machine interfaces (HMIs). These systems are usually used in large plants, where high availability and continuous operations are required.
Honeywell Experion Process Knowledge System (PKS) is a DCS that is widely adopted globally and across different industries. This vast automation platform integrates data from controllers across an environment, providing a centralised view of processes plant-wide. The system primarily uses C200, C300 and ACE controllers, which may be programmed through Experion PKS Configuration Studio, Honeywell’s engineering workstation software. The logic—developed as block diagrams—can then be downloaded from the engineering workstation to the different components in the DCS.
Distributed control systems are often regarded as a black box by cybersecurity researchers. Relatively few DCS vulnerabilities are disclosed, because the equipment is difficult to obtain. Like many other types of industrial equipment, it’s not readily available for purchase online, and it may be extremely expensive to purchase and configure. This is frequently the case with industrial control systems and SCADA equipment, and it presents a significant barrier to entry for newly active ICS security researchers, who are much more likely to examine commodity gear from market-leading vendors.
Technical Details
Honeywell Experion PKS controllers and simulators communicate with the Experion PKS Configuration Studio engineering software for programming purposes over TCP ports 55553 and 55555. These ports are used to communicate with the Experion PKS Configuration Studio software suite using a proprietary Honeywell engineering protocol. One of the applications within this suite is the Honeywell Experion Control Builder (contbldr.exe), which is responsible for programming the logic running in the controller.
As with every SCADA/DCS controller, it is possible to change current logic by performing a download code procedure. As part of this mechanism, the Honeywell Experion Control Builder software transfers compiled logic to the device and then executes it.
It is worth noting that the logic is compiled to the controller’s CPU machine code (e.g. x86 bytecode), which may present a security risk. Usually, a sandbox or some other type of security control is in place that prevents native code execution. In this case, the Experion PKS lacks a sandbox, memory protection, or other restrictions on malicious code before it is executed.
Sandboxes, for example, are crucial cybersecurity controls, especially in the ICS domain; executables are executed in an isolated area which restricts its capabilities, such as accessing system resources, to a bare minimum. They are a critical tool to keep untested or untrusted code from affecting processes, and in limiting the spread of malware and exploits targeting known and unknown vulnerabilities.
However, even sandboxes aren’t always foolproof. Earlier this year, Team82 published research into Siemens SIMATIC PLCs that demonstrated vulnerabilities that made it possible to bypass memory protections in the sandbox, and run native code in protected areas of memory.
In the case of the Experion PKS, Team82 found that it is possible to mimic the download code procedure and use these requests to upload arbitrary DLL/ELF files (for simulators and controllers, respectively). The device then loads the executables without performing checks or sanitisation, giving an attacker the ability to upload executables and run unauthorised native code remotely without authentication.
Generally, ports 55553 and 55555 are not exposed to the internet. An attacker would have to find another way to gain a foothold on the OT network in order to attack these vulnerabilities. In such a scenario, the two vulnerabilities discovered by Team82 could be leveraged to execute native code without restrictions. With such access to a DCS, an attacker could seriously disrupt operations by modifying process values, or use the DCS as a base for launching further attacks on the network using malware or exploits.
Summary
All Experion PKS customers using the affected controllers in their environments, regardless of whether they use CCLs, are affected. An attacker already on the network can impact processes by loading a modified CCL with malicious code to a controller that would execute the attacker’s code.
Honeywell should be recognised for its response to these critical vulnerabilities. To address the flaws Team82 privately disclosed, Honeywell has added cryptographic signing to CCLs to ensure they have not been tampered with. Each CCL binary now has an associated cryptographic signature that is sent to the controller when the CCL is loaded; that signature is validated before the CCL is used, Honeywell said in its advisory.
Honeywell has made patches available for affected Experion PKS versions, including server software patches and fixes for the controller firmware. Both must be applied in order to fully mitigate these vulnerabilities.
Hotfixes have either been released or will be released for versions R510.2 (Hotfix10, released) and R501.6. Version R511.5 also addresses all of these vulnerabilities. No patches are available for other Experion releases, and those users are urged to migrate to the latest point release.
CVE Information
- CVE-2021-38397
CWE-434: Unrestricted Upload of File with Dangerous Type
CVSS score: 10.0
The affected products are vulnerable to unrestricted file uploads, which may allow an attacker to remotely execute arbitrary code and cause a denial-of-service condition.
- CVE-2021-38395
CWE-74: Improper Neutralisation of Special Elements in Output Used by a Downstream Component
CVSS score: 9.1
The affected products are vulnerable to improper neutralisation of special elements in output, which may allow an attacker to remotely execute arbitrary code and cause a denial-of-service condition. - CVE-2021-38399
CWE-23: Relative Path Traversal
CVSS score: 7.5
The affected products are vulnerable to relative path traversal, which may allow an attacker access to unauthorised files and directories.
