Patches are now available to fill a vulnerability in the Honeywell Enterprise Buildings Integrator (EBI) software systems that have Temaline physical access control products installed, according to Industrial Control Systems Cyber Emergency Response Team (ICS-CERT).
Temaline client products use the Tema Remote Installer to download and install required Tema components for client workstation access.
Tema Remote Installer uses DownloadURL() ActiveX function configured to ignore file authentication. This misuse of an ActiveX function allows download and installation of any MSI file without checking source authenticity or user notification.
ICS-CERT coordinated this vulnerability report with Honeywell and security researchers Billy Rios and Terry McCorkle. Honeywell released two patches resolving this vulnerability. ICS-CERT validated the patches resolve the vulnerability.
The vulnerability affects the following EBI products:
• EBI R310.1 – TEMA 4.8
• EBI R310.1 – TEMA 4.9
• EBI R310.1 – TEMA 4.10
• EBI R400.2 SP1 – TEMA 5.2
• EBI R410.1 – TEMA 5.3.0
• EBI R410.2 – TEMA 5.3.1.
Successful exploitation may result in the ability to execute arbitrary code on the targeted human-machine interface system.
Honeywell EBI is a building system integration software product sold globally by Honeywell Building Solutions and Honeywell Process Solutions. Building operators and facility engineers use EBI to control HVAC, physical security, life safety and energy systems. EBI software monitors alarms and events and allows for system configuration and administration.
“There is a small number of EBI-Temaline systems installed in industrial plants that provide physical access control,” said Kevin Staggs, engineering fellow at Honeywell ACS Advanced Technology Lab. “Honeywell notified those plants about the system vulnerabilities, as well as the availability of the patch, prior to the ICS-CERT notice being issued. The vulnerability does not directly impact any processes.”
The TEMA Remote Installer is an automated software installation tool that supports installation of Temaline workstation clients.
The TEMA Remote Installer contains an ActiveX control that exposes a method that allows execution of arbitrary code. If a specially crafted MSI file renamed “ThinClient_TemaKit.msi” downloads using Honeywell’s TEMA Remote Installer, the file will silently install on the target machine. This specially crafted MSI file could then alter the functionality and control of the running EBI system and enable other unauthorized remote actions. The implementation of this ActiveX control does not verify the origin of the MSI file.
This vulnerability is remotely exploitable and there are no public exploits known. Crafting a working exploit for this vulnerability would require moderate skill.
Honeywell created a patch that resolves this vulnerability. The user should contact their regional security technical consultant.
The update should apply to:
• All EBI Server computers
• All EBI client computers that have had Station Client and Temaline Web Clients installed.
• All computers that have had Temaline Web Reception installed.