Honeywell created patches to mitigate a denial-of-service condition caused by an improper input validation vulnerability in its Experion Process Knowledge System (PKS) platform, according to a report with ICS-CERT.
Successful exploitation of the vulnerability would prevent the Experion PKS client tools from uploading firmware to Series-C devices.
The following Experion PKS versions suffer from the remotely exploitable vulnerability:
• Experion PKS, Release 3xx and prior
• Experion PKS, Release 400
• Experion PKS, Release 410
• Experion PKS, Release 430
• Experion PKS, Release 431
Honeywell is a U.S.-based company that maintains offices worldwide.
The affected product, Experion PKS, is a client tool used to configure firmware in Series-C devices.
Experion PKS sees action across several sectors including commercial facilities, critical manufacturing, energy, and water and wastewater systems. Honeywell said this product sees use primarily in the United States and Europe with a small percentage in Asia.
Experion PKS does not properly validate input. By sending a specially crafted packet, an attacker could cause the process to terminate. A successful exploit would prevent firmware uploads to the Series-C devices.
CVE-2016-8344 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 3.7.
No known public exploits specifically target this vulnerability. However, an attacker with a medium skill would be able to exploit this vulnerability.
Honeywell recommended Experion users download and apply the appropriate patch to protect themselves from this vulnerability.
Honeywell’s software downloads to resolve the vulnerabilities include the following:
• R400.8 HOTFIX1
• R410.8 HOTFIX6
• R430.5 HOTFIX1
• R431.2 HOTFIX2
In the event that a patch is not yet available for a current Experion release, Honeywell recommends users either isolate the network traffic when using the client tools (eNAP Server service) or turn the eNAP Server service off when not uploading new firmware until a patch is available.
Users can contact Honeywell technical support for registration and installation instructions for these patches.