Honeywell created a patch that mitigates a denial-of-service (DoS) vulnerability in the Uniformance Process History Database (PHD), according to a report on ICS-CERT.
Honeywell reports the remotely exploitable vulnerability affects the following versions: Uniformance PHD R310, Uniformance PHD R320, and Uniformance PHD R321.
A denial-of-service attack can cause the process to become unresponsive.
Honeywell is a U.S.-based company that maintains offices worldwide. The affected products, Uniformance PHD, end up used together with a DCS to provide a historian for engineering and business analytics. Uniformance PHD products see action across several sectors including chemical, critical manufacturing, energy, and water and wastewater systems. Honeywell estimates that these products see use on a global basis.
A buffer overflow exploit used against the RDISERVER can cause the process to become unresponsive.
CVE-2016-2280 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 7.5.
No known public exploits specifically target this vulnerability. However, an attacker with a low skill would be able to exploit this vulnerability.
Honeywell has provided patches for the software impacted. For more information about this vulnerability and how to apply the patches, please see Honeywell’s Security Notification SN 2016-01-27 under the support tab.