XL Web II Controller Holes Cleared

Thursday, February 2, 2017 @ 12:02 PM gHale


Honeywell created a new version to mitigate vulnerabilities in its XL Web II controller application, according to a report with ICS-CERT.

These vulnerabilities, discovered by independent researcher Maxim Rupp, are remotely exploitable.

RELATED STORIES
Electric Power Quality Meter Holes
Ecava Clears SQL Injection Hole
Moxa Fixes Additional ioLogik Device
Belden Fixes GECKO Vulnerability

The following XL Web II controller versions suffer from the issues:
• XL1000C500 XLWebExe-2-01-00 and prior
• XLWeb 500 XLWebExe-1-02-08 and prior

An attacker may use these vulnerabilities to expose a password by accessing a specific URL. The XL Web II controller application effectively becomes an entry point into the network.

Honeywell is a U.S.-based company that maintains offices worldwide.

The affected products, XL Web II controllers, are web-based SCADA systems. XL Web II controllers see action across several sectors including critical manufacturing, energy, and water and wastewater systems. Honeywell said these products see use primarily in Europe and the Middle East.

In one vulnerability, any user is able to disclose a password by accessing a specific URL.

CVE-2017-5139 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 9.8.

In addition, the password ends up stored in clear text.

CVE-2017-5140 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 9.8.

In another vulnerability, an attacker could establish a new user session without invalidating any existing session identifier, which gives the opportunity to steal authenticated sessions.

CVE-2017-5141 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 6.0.

Also, a user with low privileges is able to open and change the parameters by accessing a specific URL.

CVE-2017-5142 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 9.1.

In addition, a user without authenticating can make a directory traversal attack by accessing a specific URL.

CVE-2017-5143 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 8.6.

No known public exploits specifically target these vulnerabilities, however, an attacker with a low skill would be able to exploit these vulnerabilities.

Honeywell created Version 3.04.05.05 to fix the vulnerabilities in the XL Web II controllers. Users should contact the local Honeywell HBS branch to have their sites updated to the latest version.

In the Centraline partner channel, Excel Web controllers also ended up sold under the brand name “FALCON.” Users can obtain the latest versions by contacting Centraline.



Leave a Reply

You must be logged in to post a comment.