Exploitation of this vulnerability could allow partial loss of availability, integrity and confidentiality, and could be exploited remotely to affect systems deployed in the government facilities and commercial facilities sectors, wrote Juan Vazquez, a researcher at Rapid7/Metasploit, in a blog post. After Rapid7 and Metasploit discovered the vulnerability, it notified both Honeywell and CERT/CC, who in turn coordinated with ICS-CERT, the group responsible for collaborating with SCADA vendors to ensure vulnerabilities are fixed.
The issue affects the Honeywell Enterprise Buildings Integrator (EBI) platform, which is used to integrate different systems and devices into a common platform. Using open architecture and industry standards, EBI integrates existing buildings systems, providing seamless digital information and control across all building operational management systems.
This IP-enabled wonder of efficiency makes building management easier, but also throws open a vector for bad actors to leverage for nefarious purposes. The attack is fairly straightforward: the vulnerability allows remote attackers to execute arbitrary code via a specially crafted HTML document. The attacker can simply send an email message to the end user containing a link to a website with the document to initiate the attack.
“If you own or operate one of these building control systems, you really should take a few moments and spend quality time with your Honeywell sales and service representative to ask about getting the latest Station Security Update Package,” said Vazquez. “When we first reported this to Honeywell, their responsiveness and concern was both prompt and thorough, so it's clear to all of us at Rapid7 that Honeywell definitely has their customers' security interests at heart. From a disclosure standpoint, Honeywell's response was A++++.”
This is the second issue identified in Honeywell systems in recent days. In February, a vulnerability that would give hackers the ability to remotely control electronic door locks, alarms, lights, elevators, heating and thermostat systems, and other physical industrial facilities via Honeywell’s Tridium Niagara Framework was discovered by Cylance researchers Billy Rios and Terry McCorkle.
In general, ICS vulnerabilities continue to make news. On Thanksgiving Day in the US, Aaron Portnoy, the vice president of research at Exodus Intelligence, was able to uncover no fewer than 23 vulnerabilities in SCADA systems in just a few hours. The first exploitable zero-day took a mere seven minutes to discover. “I had a morning’s worth of time to wait for a turkey to cook, so I decided to take a shot at finding as many SCADA 0day vulnerabilities as possible,” he explained. “For someone who has spent a lot of time auditing software used in the enterprise and consumer space, SCADA was absurdly simple in comparison."