1. EXECUTIVE SUMMARY
- CVSS v3 9.1
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Honeywell
- Equipment: Experion PKS, Experion LX, PlantCruise by Experion, Safety Manager, Safety Manager SC
- Vulnerabilities: Exposed Dangerous Method or Function, Absolute Path Traversal, Stack-based Buffer Overflow, Debug Messages Revealing Unnecessary Information, Out-of-bounds Write, Heap-based Buffer Overflow, Binding to an Unrestricted IP Address, Improper Input Validation, Buffer Access with Incorrect Length Value, Improper Restriction of Operations within the Bounds of a Memory Buffer, Improper Handling of Length Parameter Inconsistency
2. RISK EVALUATION
Successful exploitation of these vulnerabilities could disclose sensitive information, allow privilege escalation, or allow remote code execution.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
Honeywell reports these vulnerabilities affect the following versions of Experion PKS, LX, PlantCruise, Safety Manager, and Safety Manager SC:
- Experion PKS: All releases prior to R510.2 HF14
- Experion PKS: All releases prior to R511.5 TCU4 HF4
- Experion PKS: All releases prior to R520.1 TCU5
- Experion PKS: All releases prior to R520.2 TCU4 HF2
- Experion LX: All releases prior to R511.5 TCU4 HF4
- Experion LX: All releases prior to R520.1 TCU5
- Experion LX: All releases prior to R520.2 TCU4 HF2
- PlantCruise by Experion: All releases prior to R511.5 TCU4 HF4
- PlantCruise by Experion: All releases prior to R520.1 TCU5
- PlantCruise by Experion: All releases prior to R520.2 TCU4 HF2
- Safety Manager: R15x, R16x up to and including R162.10
- Safety Manager SC: R210.X, R211.1, R211.2, R212.1
3.2 Vulnerability Overview
3.2.1 Exposed Dangerous Method or Function CWE-749
Successful exploitation of this vulnerability could allow an attacker to modify files on Experion controllers or SMSC S300. This exploit could be used to write a file that may result in unexpected behavior based on configuration changes or updating of files that could result in subsequent execution of a malicious application if triggered.
CVE-2023-5389 has been assigned to this vulnerability. A CVSS v3 base score of 9.1 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2023-5389. A base score of 8.8 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N).
3.2.2 Absolute Path Traversal CWE-36
Successful exploitation of this vulnerability could allow an attacker to read from the Experion controllers or SMSC S300. This exploit could be used to read files from the controller that may expose limited information from the device.
CVE-2023-5390 has been assigned to this vulnerability. A CVSS v3 base score of 5.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).
A CVSS v4 score has also been calculated for CVE-2023-5390. A base score of 6.9 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N).
3.2.3 Stack-based Buffer Overflow CWE-121
Successful exploitation of this vulnerability against the Experion controller, ControlEdge PLC, Safety Manager or SMSC S300 could allow an attacker to cause a denial-of-service condition or perform a remote code execution over the network using specially crafted messages.
CVE-2023-5407 has been assigned to this vulnerability. A CVSS v3 base score of 7.4 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2023-5407. A base score of 8.3 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N).
3.2.4 Debug Messages Revealing Unnecessary Information CWE-1295
Successful exploitation of this vulnerability against the Experion controller, ControlEdge PLC, Safety Manager or SMSC S300 could allow an attacker to extract more information from memory over the network than is required.
CVE-2023-5392 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
A CVSS v4 score has also been calculated for CVE-2023-5392. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).
3.2.5 Out-of-bounds Write CWE-787
Successful exploitation of this vulnerability against the Experion Servers or Stations by manipulation messages from a controller could allow an attacker to cause a denial-of-service condition or perform a remote code execution over the network using specially crafted messages.
CVE-2023-5406 has been assigned to this vulnerability. A CVSS v3 base score of 5.9 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H).
A CVSS v4 score has also been calculated for CVE-2023-5406. A base score of 8.2 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).
3.2.6 Out-of-bounds Write CWE-787
Successful exploitation of this vulnerability against the Experion Servers or Stations could result in an information leak when an error is generated.
CVE-2023-5405 has been assigned to this vulnerability. A CVSS v3 base score of 5.9 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).
A CVSS v4 score has also been calculated for CVE-2023-5405. A base score of 6.9 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N).
3.2.7 Heap-based Buffer Overflow CWE-122
Successful exploitation of these vulnerabilities against the Experion Servers or Stations could allow an attacker to cause a denial-of-service condition or perform a remote code execution over the network using specially crafted messages.
CVE-2023-5400 and CVE-2023-5404 have been assigned to these vulnerabilities. A CVSS v3 base score of 8.1 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2023-5400 and CVE-2023-5404. A base score of 9.2 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).
3.2.8 Stack-based Buffer Overflow CWE-121
Successful exploitation of these vulnerabilities against the Experion Servers or Stations could allow an attacker to cause a denial-of-service condition or perform a remote code execution over the network using specially crafted messages.
CVE-2023-5395, CVE-2023-5401 and CVE-2023-5403 have been assigned to these vulnerabilities. A CVSS v3 base score of 8.1 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2023-5395, CVE-2023-5401 and CVE-2023-5403. A base score of 9.2 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).
3.2.9 Binding to an Unrestricted IP Address CWE-1327
Successful exploitation of this vulnerability against the Experion Servers or Stations could allow an attacker to cause a denial-of-service condition over the network using specially crafted messages.
CVE-2023-5398 has been assigned to this vulnerability. A CVSS v3 base score of 5.9 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H).
A CVSS v4 score has also been calculated for CVE-2023-5398. A base score of 8.2 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).
3.2.10 Improper Input Validation CWE-20
Successful exploitation of this vulnerability against the Experion Servers or Stations could allow an attacker to cause a denial-of-service condition or perform a remote code execution over the network using specially crafted messages.
CVE-2023-5397 has been assigned to this vulnerability. A CVSS v3 base score of 8.1 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2023-5397. A base score of 9.2 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).
3.2.11 Buffer Access with Incorrect Length Value CWE-805
Successful exploitation of this vulnerability against the Experion Servers or Stations could allow an attacker to cause a denial-of-service condition or perform a remote code execution over the network using specially crafted messages.
CVE-2023-5396 has been assigned to this vulnerability. A CVSS v3 base score of 7.4 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2023-5396. A base score of 8.3 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N).
3.2.12 Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-119
Successful exploitation of this vulnerability against the Experion Servers or Stations could allow an attacker to cause a denial-of-service condition or perform a remote code execution over the network using specially crafted messages.
CVE-2023-5394 has been assigned to this vulnerability. A CVSS v3 base score of 7.4 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2023-5394. A base score of 8.3 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N).
3.2.13 Improper Handling of Length Parameter Inconsistency CWE-130
Successful exploitation of this vulnerability against the Experion Servers or Stations could allow an attacker to cause a denial-of-service condition or perform a remote code execution over the network using specially crafted messages.
CVE-2023-5393 has been assigned to this vulnerability. A CVSS v3 base score of 8.1 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2023-5393. A base score of 9.2 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).
3.3 BACKGROUND
- CRITICAL INFRASTRUCTURE SECTORS: Chemical, Critical Manufacturing, Energy, Water and Wastewater Systems
- COUNTRIES/AREAS DEPLOYED: Worldwide
- COMPANY HEADQUARTERS LOCATION: United States
3.4 RESEARCHER
Claroty and Armis reported these vulnerabilities to Honeywell.
4. MITIGATIONS
Honeywell fixed the reported issues and advises users to upgrade to version referenced in the Security Notice or CVE record.
CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should:
- Ensure the least-privilege user principle is followed.
- Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.
- Locate control system networks and remote devices behind firewalls and isolate them from business networks.
- When remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.
CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.
5. UPDATE HISTORY
- April 25, 2024: Initial Publication