Target DCS: Finding, Fixing Critical Bugs in Honeywell Experion PKS
By Rei Henigman, Nadav Erez | Oct. 5, 2021
Claroty’s Team82 researchers today disclose some details about three vulnerabilities reported to Honeywell International in its Honeywell Experion Process Knowledge System (PKS) distributed control system (DCS).
The vulnerabilities could allow an attacker to modify a Control Component Library (CCL) and load it to a controller, which would then execute malicious code. Denial-of-service attacks are also possible.
The vulnerabilities affect all versions of the C200, C200E, C300, and ACE controllers and simulators.
An attacker could use the vulnerabilities to execute native code on the system, modify process values, or disrupt critical processes.
Honeywell has addressed these vulnerabilities and issued an advisory. Users are urged to update or patch as soon as possible.
ICS-CERT published an advisory today, and rated the vulnerabilities collectively, a 10.0, the highest criticality CVSS score
Distributed control systems (DCS) are complex systems designed to control large industrial processes, comprising multiple controllers, I/O devices, and human-machine interfaces (HMIs). These systems are usually used in large plants, where high availability and continuous operations are required.
Honeywell Experion Process Knowledge System (PKS) is a DCS that is widely adopted globally and across different industries. This vast automation platform integrates data from controllers across an environment, providing a centralized view of processes plant-wide. The system primarily uses C200, C300 and ACE controllers, which may be programmed through Experion PKS Configuration Studio, Honeywell’s engineering workstation software. The logic—developed as block diagrams—can then be downloaded from the engineering workstation to the different components in the DCS.
Honeywell Experion PKS controller.
Distributed control systems are often regarded as a black box by cybersecurity researchers. Relatively few DCS vulnerabilities are disclosed, because the equipment is difficult to obtain. Like many other types of industrial equipment, it’s not readily available for purchase online, and it may be extremely expensive to purchase and configure. This is frequently the case with industrial control systems and SCADA equipment, and it presents a significant barrier to entry for newly active ICS security researchers, who are much more likely to examine commodity gear from market-leading vendors.
Honeywell Experion PKS controllers and simulators communicate with the Experion PKS Configuration Studio engineering software for programming purposes over TCP ports 55553 and 55555. These ports are used to communicate with the Experion PKS Configuration Studio software suite using a proprietary Honeywell engineering protocol. One of the applications within this suite is the Honeywell Experion Control Builder (contbldr.exe), which is responsible for programming the logic running in the controller.
As with every SCADA/DCS controller, it is possible to change current logic by performing a download code procedure. As part of this mechanism, the Honeywell Experion Control Builder software transfers compiled logic to the device and then executes it.
It is worth noting that the logic is compiled to the controller’s CPU machine code (e.g. x86 bytecode), which may present a security risk. Usually, a sandbox or some other type of security control is in place that prevents native code execution. In this case, the Experion PKS lacks a sandbox, memory protection, or other restrictions on malicious code before it is executed.
Sandboxes, for example, are crucial cybersecurity controls, especially in the ICS domain; executables are executed in an isolated area which restricts its capabilities, such as accessing system resources, to a bare minimum. They are a critical tool to keep untested or untrusted code from affecting processes, and in limiting the spread of malware and exploits targeting known and unknown vulnerabilities.
In the case of the Experion PKS, Team82 found that it is possible to mimic the download code procedure and use these requests to upload arbitrary DLL/ELF files (for simulators and controllers, respectively). The device then loads the executables without performing checks or sanitization, giving an attacker the ability to upload executables and run unauthorized native code remotely without authentication.
Generally, ports 55553 and 55555 are not exposed to the internet. An attacker would have to find another way to gain a foothold on the OT network in order to attack these vulnerabilities. In such a scenario, the two vulnerabilities discovered by Team82 could be leveraged to execute native code without restrictions. With such access to a DCS, an attacker could seriously disrupt operations by modifying process values, or use the DCS as a base for launching further attacks on the network using malware or exploits.
A Control Component Library (CCL) is a library of control components that is loaded to a controller to perform specific functions. We can think of CCL libraries as extensions that enable developers to use application-specific functionality with external function blocks that are not supported by the standard library.
The CCL format is a wrapper for DLL/ELF files. Its first four bytes are the CRC32 of the executable file (DLL/ELF). The next 128 bytes represent the name of the library (wrapped with nulls), and the rest of the file is the actual wrapped DLL/ELF file. The wrapped DLL/ELF files are libraries of block codes, used in the Control Builder software. When the CCL files are being parsed, there are no security validations such as signature checking or sanitization of the library names. Therefore, an attacker can perform a directory traversal attack and upload any DLL/ELF files they wish to arbitrary locations on the remote controller.
Moreover, during our research, we found that in some cases CCL files that are sent to end devices get instantly executed, without performing security checks (e.g. signature checking). The protocol doesn’t require authentication, which would prevent unauthorized users from performing download actions. Therefore, any attacker might use this library download functionality to remotely execute code without authentication. To do this, an attacker can download a DLL/ELF of his choice to the controller/simulator using the protocol, and it will be instantly executed on the end device.
Team82’s proof of concept shows how an attacker can achieve unauthorized remote code execution. The system used in this image is the Honeywell Experion Controller Simulator.
Honeywell addressed these vulnerabilities earlier this year in a number of updates and patches. All Experion PKS customers using the affected controllers in their environments, regardless of whether they use CCLs, are affected. An attacker already on the network can impact processes by loading a modified CCL with malicious code to a controller that would execute the attacker’s code.
Honeywell should be recognized for its response to these critical vulnerabilities. To address the flaws Team82 privately disclosed, Honeywell has added cryptographic signing to CCLs to ensure they have not been tampered with. Each CCL binary now has an associated cryptographic signature that is sent to the controller when the CCL is loaded; that signature is validated before the CCL is used, Honeywell said in its advisory.
Honeywell has made patches available for affected Experion PKS versions, including server software patches and fixes for the controller firmware. Both must be applied in order to fully mitigate these vulnerabilities.
Hotfixes have either been released or will be released for versions R510.2 (Hotfix10, released) and R501.6. Version R511.5 also addresses all of these vulnerabilities. No patches are available for other Experion releases, and those users are urged to migrate to the latest point release.
CWE-434: Unrestricted Upload of File with Dangerous Type
CVSS score: 10.0
The affected products are vulnerable to unrestricted file uploads, which may allow an attacker to remotely execute arbitrary code and cause a denial-of-service condition.
CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component
CVSS score: 9.1
The affected products are vulnerable to improper neutralization of special elements in output, which may allow an attacker to remotely execute arbitrary code and cause a denial-of-service condition.