Honeywell Fixes Mobile Computer Hole

Thursday, September 13, 2018 @ 01:09 PM gHale

Honeywell has a software update that resolves an improper privilege management vulnerability in its Mobile Computers, according to a report with NCCIC.

A vulnerability, discovered by Google’s Android Team in coordination with Honeywell, in a system service on CT60, CN80, CT40, CK75, CN75, CT50, D75e, CN51, and EDA series mobile computers running the Android Operating System (OS) could allow a malicious third-party application to gain elevated privileges.

RELATED STORIES
Siemens Fixes SCALANCE X Switches
Siemens Clears SIMATIC WinCC OA Hole
TD Keypad Designer Mitigation Plan
Fuji Electric Clears V-Server Lite Hole

The following versions of Honeywell Mobile Computers (hand-held computers) suffer from the remotely exploitable vulnerability:
• CT60 running Android OS 7.1
• CN80 running Android OS 7.1
• CT40 running Android OS 7.1
• CK75 running Android OS 6.0
• CN75 running Android OS 6.0
• CN75e running Android OS 6.0
• CT50 running Android OS 6.0
• D75e running Android OS 6.0
• CT50 running Android OS 4.4
• D75e running Android OS 4.4
• CN51 running Android OS 6.0
• EDA50k running Android 4.4
• EDA50 running Android OS 7.1
• EDA50k running Android OS 7.1
• EDA70 running Android OS 7.1
• EDA60k running Android OS 7.1
• EDA51 running Android OS 8.1

In the vulnerability, a skilled attacker with advanced knowledge of the target system could exploit this vulnerability by creating an application that would successfully bind to the service and gain elevated system privileges. This could enable the attacker to obtain access to keystrokes, passwords, personal identifiable information, photos, emails, or business-critical documents.

CVE-2018-14825 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 7.6.

The product sees use in the commercial facilities, critical manufacturing, energy, and healthcare and public health sectors. It also sees action on a global basis.

No known public exploits specifically target this vulnerability. High skill level is needed to exploit.

Honeywell released software updates that resolve this vulnerability. All users using the affected products should update their products as indicated below. Only products listed below are affected by this vulnerability.

Honeywell recommends users upgrade to the version identified below to resolve the vulnerability. Click here for updates or get them through Honeywell product support.

• CT60 running Android OS 7.1 – (GMS version) Upgrade to Android OS release 84.00.11 or later; (non-GMS version) Upgrade to Android OS release 83.00.11 or later
• CN80 running Android OS 7.1 – (GMS version) Upgrade to Android OS release 84.00.11 or later; (non-GMS version) Upgrade to Android OS release 83.00.11 or later
• CT40 running Android OS 7.1 – (GMS version) Upgrade to Android OS release 84.00.11 or later; (non-GMS version) Upgrade to Android OS release 83.00.11 or later
• CK75 running Android OS 6.0 – Update CommonES to 4.02.00.4082 or later; Update ECP to Version 2.30.00.0167 or later (if applicable)
• CN75 running Android OS 6.0 – Update CommonES to 4.02.00.4082 or later; Update ECP to Version 2.30.00.0167 or later (if applicable)
• CN75e running Android OS 6.0 – Update CommonES to 4.02.00.4082 or later; Update ECP to Version 2.30.00.0167 or later (if applicable)
• CT50 running Android OS 6.0 – Update to CommonES 4.01.00.4134 or later; Update ECP to Version 2.30.00.0167 or later (if applicable)
• D75e running Android OS 6.0 – Update to CommonES 4.01.00.4134 or later; Update ECP to Version 2.30.00.0167 or later (if applicable)
• CT50 running Android OS 4.4 – Update to CommonES 3.17.3445 or later
• D75e running Android OS 4.4 – Update to CommonES 3.17.3445 or later
• CN51 running Android OS 6.0 – Update to CommonES 4.01.03.3992 or later; Update ECP to Version 2.30.00.0167 or later (if applicable)
• EDA50k running Android OS 4.4 – Update to CommonES 3.17.3321.10 or later, release will be available: 9/21/2018
• EDA50 running Android OS 7.1 – Update to CommonES 5.01.01.4217 or later, release will be available: 9/17/2018
• EDA50k running Android OS 7.1  – Update to CommonES 5.01.01.4217 or later, release will be available: 9/17/2018
• EDA70 running Android OS 7.1 – Update to CommonES 5.01.01.4217 or later, release will be available: 9/17/2018
• EDA60k running Android OS 7.1 – (non-GMS) Upgrade to Android OS release 206.01.00.0018 or later; Update ECP to Version 2.30.00.0167 or later, release will be available: 9/17/2018
• EDA51 running Android OS 8.1 – Update to CommonES 6.02.01.4593, release will be available: 9/17/2018

Honeywell always recommends whitelisting of trusted applications to limit risk from malicious apps being installed on the device. Please see the Android Network and Security Guide for additional information.

For assistance with this vulnerability, please contact Honeywell through product support.



Leave a Reply

You must be logged in to post a comment.