CISA Alert Highlights for April 25, 2024 – Honeywell Experion PKS, Experion LX, PlantCruise by Experion, Safety Manager, Safety Manager SC
How are Vulnerabilities Rated?
These latest cybersecurity vulnerabilities focus on Honeywell Experion PKS, Experion LX, PlantCruise, and Safety Manager products that have been recently released by CISA in conjunction with the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD). These product vulnerabilities, targeting Chemical, Critical Manufacturing, Energy, Water and Wastewater Systems have all been rated as medium to high-risk per the criteria listed below.
These vulnerabilities are based on the Common Vulnerabilities and Exposures (CVE) vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:
- High: vulnerabilities with a CVSS base score of 7.0–10.0
- Medium: vulnerabilities with a CVSS base score of 4.0–6.9
- Low: vulnerabilities with a CVSS base score of 0.0–3.9
Successful exploitation of these vulnerabilities could disclose sensitive information, allow privilege escalation, or allow remote code execution.
Vendor/Product: Honeywell reports these vulnerabilities that affect the following versions of Experion PKS, LX, PlantCruise, Safety Manager, and Safety Manager SC:
- Experion PKS: All releases prior to R510.2 HF14
- Experion PKS: All releases prior to R511.5 TCU4 HF4
- Experion PKS: All releases prior to R520.1 TCU5
- Experion PKS: All releases prior to R520.2 TCU4 HF2
- Experion LX: All releases prior to R511.5 TCU4 HF4
- Experion LX: All releases prior to R520.1 TCU5
- Experion LX: All releases prior to R520.2 TCU4 HF2
- PlantCruise by Experion: All releases prior to R511.5 TCU4 HF4
- PlantCruise by Experion: All releases prior to R520.1 TCU5
- PlantCruise by Experion: All releases prior to R520.2 TCU4 HF2
- Safety Manager: R15x, R16x up to and including R162.10
- Safety Manager SC: R210.X, R211.1, R211.2, R212.1
Description:
Exposed Dangerous Method or Function
- CVE-2023-5389
- CVSS Score: 9.1
- CVE-2023-5390
- CVSS Score: 5.3
- CVE-2023-5407
- CVSS Score: 5.9
Debug Messages Revealing Unnecessary Information
- CVE-2023-5392
- CVSS Score: 7.5
Out-of-bounds Write, Heap-based Buffer Overflow
- CVE-2023-5406
- CVSS Score: 5.9
Binding to an Unrestricted IP Address
- CVE-2023-5398
- CVSS Score: 5.9
- CVE-2023-5397
- CVSS Score: 8.1
Buffer Access with Incorrect Length Value
- CVE-2023-5396
- CVSS Score: 7.4
Improper Restriction of Operations within the Bounds of a Memory Buffer
- CVE-2023-5394
- CVSS Score: 7.4
Improper Handling of Length Parameter Inconsistency
- CVE-2023-5393
- CVSS Score: 7.4
Mitigation: Honeywell fixed the reported issues and advises users to upgrade to version referenced in the Security Notice or CVE record.
CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should:
- Ensure the least-privilege user principle is followed.
- Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.
- Locate control system networks and remote devices behind firewalls and isolate them from business networks.
- When remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.