CVE-2021-38399 is a vulnerability that affects Honeywell Experion PKS controllers, specifically the C200, C200E, C300, and ACE models. These controllers are commonly used in industrial systems and critical infrastructures to regulate, control, and monitor various processes. The vulnerability allows an attacker to access unauthorized files and directories by exploiting a relative path traversal issue, which may ultimately lead to unauthorized system access and data leakage.

Original References

- CVE-2021-38399: https://nvd.nist.gov/vuln/detail/CVE-2021-38399
- Honeywell Experion PKS: https://www.honeywellprocess.com/en-US/explore/products/control-monitoring-and-safety-systems/integrated-control-and-safety-systems/experion-pks/Pages/default.aspx
- ICS-CERT Advisory: https://us-cert.cisa.gov/ics/advisories/icsa-21-241-05

Code Snippet

The actual code snippet cannot be provided due to the confidentiality of proprietary software. However, a simple example in Python to explain the concept of a relative path traversal vulnerability is shown below:

import os

def read_file(relative_path):
    base_path = "/home/user/secure_directory"
    file_path = os.path.join(base_path, relative_path)
    with open(file_path, "r") as file:
        content = file.read()
        return content

user_input = "../unauthorized_directory/secrets.txt"
content = read_file(user_input)
print(content)

In the example above, the function read_file is supposed to read files from the secure_directory folder only. However, a user can provide input with a relative path (e.g., ../unauthorized_directory/secrets.txt), which gets combined with the base path, allowing access to files outside the intended secure_directory.

Exploit Details

An attacker can exploit the CVE-2021-38399 vulnerability via specially crafted input that uses relative path information to target unauthorized files and directories. For example, an attacker could potentially access configuration files, sensitive business documents, or process-related data that were supposedly restricted. The potential impact of this vulnerability includes unauthorized access to critical files, data leakage, and the possibility of escalating the attacker's privileges on the system.

Mitigation

Honeywell has already released a patch to address this vulnerability. Users of the affected Experion PKS controllers should immediately contact Honeywell Technical Support or their local distributor to obtain the patch and apply it as soon as possible.

Additionally, users are encouraged to follow best practices such as

- Implementing network segmentation to separate Experion PKS controllers from external networks, minimizing the risk of unauthorized access.
- Regularly monitoring and reviewing logs to identify and investigate any suspicious activities on the system.
- Employing strong authentication and access control mechanisms to prevent unauthorized access to sensitive files and directories.
- Regularly updating and patching all connected systems, networks, and devices to minimize the risk of vulnerabilities being exploited.

Conclusion

CVE-2021-38399 is a serious vulnerability that affects Honeywell Experion PKS controllers. By exploiting this vulnerability, an attacker may access unauthorized files and directories, potentially causing unauthorized system access and data leakage. Users are urged to apply the necessary patch provided by Honeywell and follow the recommended best practices to ensure the security of their systems.

Timeline

Published on: 10/28/2022 02:15:00 UTC
Last modified on: 11/02/2022 18:12:00 UTC