Honeywell released new firmware to mitigate an improper input validation vulnerability in its equIP series IP cameras, according to a report with CISA.
Successful exploitation of this remotely exploitable vulnerability, which Honeywell self-reported, could result in denial-of-service conditions. Honeywell reports the vulnerability affects the equIP series IP camera products listed fully in the following Honeywell Security Notification SN 2019-09-13 01.
A vulnerability exists in the affected products where a specially crafted HTTP packet request could result in a denial of service.
CVE-2019-18228 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 7.5.
The product sees use mainly in the commercial facilities, critical manufacturing, energy, and healthcare and public health sectors. It also sees action on a global basis.
Honeywell released firmware update packages for all affected products.
No known public exploits specifically target this vulnerability. However, an attacker with low skill level could leverage the vulnerability.
Honeywell recommends that users with potentially affected products take the following steps to protect themselves:
• Update firmware of vulnerable devices per this security notification
• Isolate their system from the Internet or create additional layers of defense to their system from the Internet by placing the affected hardware behind a firewall or into a DMZ
• If remote connections to the network are required, consider using a VPN or other means to ensure secure remote connections into the network where the device is located
More information on this issue can be found in Honeywell Security Notification SN 2019-09-13 01.