Honeywell created a patch for a buffer overflow vulnerability in all products using the Honeywell HMIWeb browser.
This vulnerability came to the Zero Day Initiative (ZDI) via an anonymous researcher, according to a release on ICS-CERT.
The affected products and versions are:
1. Honeywell Process Solutions:
• Experion Releases R400.x, R31x, R30x, and R2xx,
2. Honeywell Building Solutions:
• Enterprise Building Manager Releases,
3. R400 and R410.1 and SymmetrE R410.1 release,
4. Honeywell Environmental Combustion & Controls, and
5. SymmetrE R410.1 release.
Successful exploitation of this vulnerability could allow remote, unauthenticated attackers to execute arbitrary code.
Honeywell Experion PKS is a distributed control system solution sold globally by Honeywell Process Solutions. Experion PKS sees use in automation and control of industrial and manufacturing processes.
Honeywell Enterprise Buildings Integrator (EBI) is a building system integration software product sold globally by Honeywell Building Solutions and Honeywell Process Solutions. Building operators and facility engineers use EBI to control HVAC, physical security, life safety, and energy systems. The EBI software monitors alarms and events and allows for system configuration and administration as required.
Honeywell SymmetrE is a building system integration software product sold by Environmental and Combustion Controls in North and South America. Building operators and facility engineers use SymmetrE to primarily control HVAC systems and for open protocol integration. The SymmetrE software monitors alarms and events and allows for system configuration and administration as required.
The Honeywell HMIWeb Browser HSCDSPRenderDLL ActiveX control contains a stack buffer overflow that can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system. CVE-2012-0254 is the number assigned to this vulnerability, which has a CVSS V2 base score of 3.4.
Honeywell Process Solutions (HPS) and Honeywell Building Solutions (HBS) have released fixes for this vulnerability.
HPS customers can download the security notification that describes the vulnerability and provides a link to the fixes at: www.honeywellprocess.com
• Select Support, then select Latest Notifications (or use this LINK).
• Open document SN 2012 03 09 01A Security Vulnerability in HMIWeb Browser.
No login is required to view the document. However, there is a login required to download software using links in Honeywell’s SN document.
HBS customers should contact their local account manager to arrange for updates from HBS service technicians.
Honeywell Environmental Combustion and Control (ECC) SymmetrE customers or their contractors should use the URL below to obtain HMIWeb Browser update. Users should install this update on the SymmetrE server and workstation clients following the Software Release Bulletin instructions. Click here for the update. Access to this Web site requires registration.
Additional Precautions: Do not use a Station node to connect to the Internet for the purposes of Web browsing and if a Station node is connected to the Internet, do not use Station or Internet Explorer to browse the Internet, or limit this usage only to trusted Web sites.