Team82 Logo Claroty
Return to Team82 Research

Target DCS: Finding, Fixing Critical Bugs in Honeywell Experion PKS

/
Target DCS: Finding, Fixing Critical Bugs in Honeywell Experion PKS

Executive Summary

  • Claroty's Team82 researchers today disclose some details about three vulnerabilities reported to Honeywell International in its Honeywell Experion Process Knowledge System (PKS) distributed control system (DCS).

  • The vulnerabilities could allow an attacker to modify a Control Component Library (CCL) and load it to a controller, which would then execute malicious code. Denial-of-service attacks are also possible.

  • The vulnerabilities affect all versions of the C200, C200E, C300, and ACE controllers and simulators.

  • An attacker could use the vulnerabilities to execute native code on the system, modify process values, or disrupt critical processes.

  • Honeywell has addressed these vulnerabilities and issued an advisory. Users are urged to update or patch as soon as possible.

  • ICS-CERT published an advisory today, and rated the vulnerabilities collectively, a 10.0, the highest criticality CVSS score

What are Distributed Control Systems (DCS)?

Distributed control systems (DCS) are complex systems designed to control large industrial processes, comprising multiple controllers, I/O devices, and human-machine interfaces (HMIs). These systems are usually used in large plants, where high availability and continuous operations are required.

Honeywell Experion Process Knowledge System (PKS) is a DCS that is widely adopted globally and across different industries. This vast automation platform integrates data from controllers across an environment, providing a centralized view of processes plant-wide. The system primarily uses C200, C300 and ACE controllers, which may be programmed through Experion PKS Configuration Studio, Honeywell's engineering workstation software. The logic—developed as block diagrams—can then be downloaded from the engineering workstation to the different components in the DCS.

Honeywell Experion PKS controller
Honeywell Experion PKS controller.

Distributed control systems are often regarded as a black box by cybersecurity researchers. Relatively few DCS vulnerabilities are disclosed, because the equipment is difficult to obtain. Like many other types of industrial equipment, it's not readily available for purchase online, and it may be extremely expensive to purchase and configure. This is frequently the case with industrial control systems and SCADA equipment, and it presents a significant barrier to entry for newly active ICS security researchers, who are much more likely to examine commodity gear from market-leading vendors.

Technical Details

Honeywell Experion PKS controllers and simulators communicate with the Experion PKS Configuration Studio engineering software for programming purposes over TCP ports 55553 and 55555. These ports are used to communicate with the Experion PKS Configuration Studio software suite using a proprietary Honeywell engineering protocol. One of the applications within this suite is the Honeywell Experion Control Builder (contbldr.exe), which is responsible for programming the logic running in the controller.

As with every SCADA/DCS controller, it is possible to change current logic by performing a download code procedure. As part of this mechanism, the Honeywell Experion Control Builder software transfers compiled logic to the device and then executes it.

It is worth noting that the logic is compiled to the controller's CPU machine code (e.g. x86 bytecode), which may present a security risk. Usually, a sandbox or some other type of security control is in place that prevents native code execution. In this case, the Experion PKS lacks a sandbox, memory protection, or other restrictions on malicious code before it is executed.

Sandboxes, for example, are crucial cybersecurity controls, especially in the ICS domain; executables are executed in an isolated area which restricts its capabilities, such as accessing system resources, to a bare minimum. They are a critical tool to keep untested or untrusted code from affecting processes, and in limiting the spread of malware and exploits targeting known and unknown vulnerabilities.

However, even sandboxes aren't always foolproof. Earlier this year, Team82 published research into Siemens SIMATIC PLCs that demonstrated vulnerabilities that made it possible to bypass memory protections in the sandbox, and run native code in protected areas of memory.

In the case of the Experion PKS, Team82 found that it is possible to mimic the download code procedure and use these requests to upload arbitrary DLL/ELF files (for simulators and controllers, respectively). The device then loads the executables without performing checks or sanitization, giving an attacker the ability to upload executables and run unauthorized native code remotely without authentication.

Generally, ports 55553 and 55555 are not exposed to the internet. An attacker would have to find another way to gain a foothold on the OT network in order to attack these vulnerabilities. In such a scenario, the two vulnerabilities discovered by Team82 could be leveraged to execute native code without restrictions. With such access to a DCS, an attacker could seriously disrupt operations by modifying process values, or use the DCS as a base for launching further attacks on the network using malware or exploits.

The Vulnerabilities

A Control Component Library (CCL) is a library of control components that is loaded to a controller to perform specific functions. We can think of CCL libraries as extensions that enable developers to use application-specific functionality with external function blocks that are not supported by the standard library.

The CCL format is a wrapper for DLL/ELF files. Its first four bytes are the CRC32 of the executable file (DLL/ELF). The next 128 bytes represent the name of the library (wrapped with nulls), and the rest of the file is the actual wrapped DLL/ELF file. The wrapped DLL/ELF files are libraries of block codes, used in the Control Builder software. When the CCL files are being parsed, there are no security validations such as signature checking or sanitization of the library names. Therefore, an attacker can perform a directory traversal attack and upload any DLL/ELF files they wish to arbitrary locations on the remote controller.

Moreover, during our research, we found that in some cases CCL files that are sent to end devices get instantly executed, without performing security checks (e.g. signature checking). The protocol doesn't require authentication, which would prevent unauthorized users from performing download actions. Therefore, any attacker might use this library download functionality to remotely execute code without authentication. To do this, an attacker can download a DLL/ELF of his choice to the controller/simulator using the protocol, and it will be instantly executed on the end device.

Target DCS: Finding, Fixing Critical Bugs in Honeywell Experion PKS
Team82's proof of concept shows how an attacker can achieve unauthorized remote code execution. The system used in this image is the Honeywell Experion Controller Simulator.

Summary

Honeywell addressed these vulnerabilities earlier this year in a number of updates and patches. All Experion PKS customers using the affected controllers in their environments, regardless of whether they use CCLs, are affected. An attacker already on the network can impact processes by loading a modified CCL with malicious code to a controller that would execute the attacker's code.

Honeywell should be recognized for its response to these critical vulnerabilities. To address the flaws Team82 privately disclosed, Honeywell has added cryptographic signing to CCLs to ensure they have not been tampered with. Each CCL binary now has an associated cryptographic signature that is sent to the controller when the CCL is loaded; that signature is validated before the CCL is used, Honeywell said in its advisory.

Honeywell has made patches available for affected Experion PKS versions, including server software patches and fixes for the controller firmware. Both must be applied in order to fully mitigate these vulnerabilities.

Hotfixes have either been released or will be released for versions R510.2 (Hotfix10, released) and R501.6. Version R511.5 also addresses all of these vulnerabilities. No patches are available for other Experion releases, and those users are urged to migrate to the latest point release.

CVE Information

CVE-2021-38397

CWE-434: Unrestricted Upload of File with Dangerous Type CVSS score: 10.0

The affected products are vulnerable to unrestricted file uploads, which may allow an attacker to remotely execute arbitrary code and cause a denial-of-service condition.

CVE-2021-38395

CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component CVSS score: 9.1

The affected products are vulnerable to improper neutralization of special elements in output, which may allow an attacker to remotely execute arbitrary code and cause a denial-of-service condition.

CVE-2021-38399

CWE-23: Relative Path Traversal CVSS score: 7.5

The affected products are vulnerable to relative path traversal, which may allow an attacker access to unauthorized files and directories.

Stay in the know Get the Team82 Newsletter
Related Vulnerability Disclosures
Claroty
LinkedIn Twitter YouTube Facebook