Honeywell Falcon Administrative Bypass

2014.10.02
Credit: Martin Jartelius
Risk: High
Local: No
Remote: Yes
CVE: CVE-2014-2717
CWE: CWE-Other


CVSS Base Score: 7.6/10
Impact Subscore: 10/10
Exploitability Subscore: 4.9/10
Exploit range: Remote
Attack complexity: High
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

After giving the market two extra months for patching and also contacting some of the affected national CERTs Outpost24 today released the vulnerability details for CVE-2014-2717. This vulnerability consists of a missing access restriction in combination with a flawed login function, resulting in something as exotic as a pass the hash vulnerability to authenticate with a SCADA system, giving administrative access.* *TL;DR; The Honeywell Falcon (XLWeb Linux/Webserver) contains a vulnerability which allows anyone, even without knowing the username or password, to log in as an administrator in the system. Although information regarding the presence of the vulnerability has been available for a few months since its open disclosure by the ISC CERT to member organizations, there are multiple unpatched systems that remain exposed to the Internet. Outpost24 have waited for an airport we were aware of were affected to patch before releasing. The more full information is available here; http://www.outpost24.com/cve-2014-2717-attacking-the-honeywell-falcon-xlweb/ References: https://ics-cert.us-cert.gov/advisories/ICSA-14-175-01 CVE-2014-2717 AFFECTED PRODUCTS The following Honeywell FALCON XLWeb controller versions are affected: * FALCON Linux 2.04.01 or older * FALCON XLWebExe 2.02.11 or older. IMPACT An attacker may use these vulnerabilities to generate a valid login for an administrative user in the Honeywell FALCON XLWeb controller obtaining full administrator access to the system. The impact to individual organizations depends on many factors that are unique to each organization. ICS-CERT recommends that organizations evaluate the impact of this vulnerability based on their operational environment, architecture and product implementation. The affected products, FALCON XLWeb controllers, are web-based SCADA systems. According to Honeywell, FALCON XLWeb controllers are deployed across several industries including critical manufacturing, energy and wastewater systems among others. According to Honeywell, the affected controllers are used by customers primarily in Europe and the Middle East. Outpost24 would like to direct a thank you to Honeywell and ICS CERT for their fast work in resolving the problems, and we also completely share the vendors recommendation that SCADA systems already in the first place should not be internet facing. The vendor have been a pleasure to work with and have taken every care to resolve the issue timely. Martin Jartelius CSO Outpost24 www.outpost24.com


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top