Critical Vulnerabilities Discovered in Honeywell Industrial Control Systems

July 13, 2023

Armis, a cybersecurity firm, has identified multiple vulnerabilities in Honeywell's distributed control system (DCS) products, potentially exposing industrial organizations to cyber-attacks. The vulnerabilities were reported to Honeywell last year, and all have since been patched. The vulnerabilities, collectively referred to as 'Crit.IX,' are officially tracked as CVE-2023-23585, CVE-2023-22435, CVE-2023-24474, CVE-2023-25078, CVE-2023-25178, CVE-2023-24480, CVE-2023-25948, CVE-2023-25770, and CVE-2023-26597.

These vulnerabilities affect several of Honeywell's Experion DCS platforms and the associated C300 DCS controller. The impacted platforms include the Experion Process Knowledge System (EPKS), LX, and PlantCruise, which are used across various sectors to manage industrial operations such as agriculture, water, pharmaceutical, and nuclear plants.

Armis' investigation focused on the proprietary Control Data Access (CDA) protocol used for communication between Experion servers and C300 controllers. The researchers found that the lack of encryption and proper authentication mechanisms could allow an attacker with network access to impersonate servers and controllers. This could potentially enable an attack from a compromised IT, OT, or IoT device on the same network as the targeted DCS.

The Crit.IX vulnerabilities could be exploited to launch denial-of-service (DoS) attacks, obtain sensitive information, and execute remote code on the controller or the server. This could allow a hacker to manipulate or disrupt controllers and engineering workstations, potentially resulting in production downtime or damage to industrial equipment. Attackers could also exploit these flaws for lateral movement within the targeted organization.

According to Armis, exploiting the Crit.IX vulnerabilities could lead to the 'compromise of pharmaceutical batches and chemical compounds, and the disruption of power distribution to interconnected systems downstream.' This is not the first time Armis has found vulnerabilities in ICS products, having previously discovered the ModiPwn flaws in Schneider Electric PLCs and the Urgent/11 vulnerabilities impacting several industrial giants' products.

Latest News

• BlackLotus UEFI Malware Source Code Leaked on GitHub
• Critical Security Flaws Patched in SonicWall's GMS and Analytics Products
• APT Group Targets Rockwell Automation Flaws, Poses Threat to Critical Infrastructure
• Apple Rectifies and Re-Releases Security Update Following WebKit Zero-Day Vulnerability
• Critical Remote Code Execution Vulnerability Discovered in Ghostscript PDF Library