Mitigation for Enterprise Buildings Integrator

Monday, February 25, 2013 @ 04:02 PM gHale

There are now mitigation details available for an Active X vulnerability affecting the Honeywell Enterprise Buildings Integrator (EBI), according to a report on ICS-CERT.

The vulnerability, privately disclosed by independent researcher Juan Vazquez of Rapid7, is in Honeywell EBI, SymmetrE, and ComfortPoint Open Manager (CPO-M) Station, and HMIWeb Browser client packages.

Third Party Bug Fixed for Wonderware
Fix Ready for Gateway Server
Tridium Mitigates Vulnerability
SAS: Zero Day Lives On

Honeywell created the update that mitigates the vulnerability and Rapid7 tested it to validate it resolves the issue.

Exploitation of this remotely exploitable vulnerability could allow partial loss of availability, integrity, and confidentiality. This vulnerability could affect systems deployed in the government facilities and commercial facilities sectors. Rapid7 plans to release a Metasploit module for this vulnerability in March.

The vulnerability affects the following product versions:
• EBI R310, R400.2, R410.1, R410.2
• SymmetrE R310, R410.1, R410.2
• CPO-M R100

Successfully exploiting this vulnerability could allow an attacker to execute code of the attacker’s choice on an EBI client or EBI system and possibly affect the availability of the system.

The Honeywell EBI, SymmetrE, and ComfortPoint Open Manager platforms integrate different systems and devices such as heating, ventilation, and air conditioning (HVAC) controls; security; access control; life safety; lighting; energy management; and facilities management into a common platform.

The platforms typically end up managed and controlled by dedicated station-based clients on secured, isolated building control, security or life safety networks. Noncritical applications can install on customer-based enterprise networks and can use the optional Web browser interface.

The vulnerability could allow remote attackers to execute arbitrary code via a specially crafted HTML document. The attacker would require an end-user or operator to voluntarily interact with the attack mechanism for it to be successful. In one case, an attacker could send an email message to the end-user, containing a link to a Web site with the specially crafted HTML document.

CVE-2013-0108 is the number assigned to this vulnerability, which has a CVSS v2 base score of 6.8.

There are no known exploits specifically target this vulnerability yet. An attacker with a medium skill would be able to exploit this vulnerability. Social engineering is one aspect needed to convince the user to visit the malicious site.

Honeywell recommends disabling HscRemoteDeploy.dll from any client or server computers on affected systems. This DLL does not see use for any runtime functions and is only required to simplify the installation or upgrade of the HMIWeb Browser client.

Honeywell has created a Station Security Update package that disables the DLL. It should run on the EBI servers, all Station client PCs, and any PCs that have used the HMIWeb Browser client. Honeywell recommends asset owners contact their local HBS service representative as a qualified, trained resource should perform this update.

Honeywell requested Microsoft issue a kill bit for the HscRemoteDeploy.dll in a future monthly Microsoft Windows security update. This will also automatically disable the DLL on any affected system that is using the Windows Update feature in the listed Honeywell products.

One Response to “Mitigation for Enterprise Buildings Integrator”

  1. the SCADAhacker says:

    I wanted to share some good news that it has been confirmed that this set of vulnerabilities does NOT affect the Experion PKS industrial control system, which is developed by a sister group within Honeywell and includes a similar HMIWeb application environment. Thanks Honeywell for working with me to get this resolved and clarified!

Leave a Reply

You must be logged in to post a comment.