Team82 has discovered significant vulnerabilities in Honeywell’s ControlEdge Virtual Unit Operations Center (UOC), specifically within the EpicMo protocol. The EpicMo protocol, a proprietary communication protocol used for debugging and diagnosing Honeywell controllers, operates over TCP port 55565 and includes several function codes such as ReadMemory, WriteMemory, Reboot, and ReadCrashBlock. However, Team82’s research has revealed that this protocol also contains undocumented functions that can be exploited, allowing attackers to write files on Virtual UOC controllers without proper sanitation.
The most critical vulnerability identified is CVE-2023-5389, which stems from the LoadFileToModule function (Command 0x51) within the EpicMo protocol. This function allows users to write files to the controller, specifying a Destination_Path without validation or limitation. This lack of restriction means that attackers can write files to any writable location on the controller, potentially leading to remote code execution (RCE). To exploit this vulnerability, an attacker would need to send a series of packets to the controller, starting with a command to initiate the file write, followed by data packets, and concluding with a final command to signal the end of the upload. By overwriting a system-shared object file, such as /lib/libcap.so.2, with a malicious payload, the attacker can achieve code execution upon the controller’s reboot.
Another vulnerability, CVE-2023-5390, was also identified in the EpicMo protocol. While details on this specific vulnerability are less comprehensive, it has been assigned a CVSS v3 score of 5.3, indicating a moderate severity level. This vulnerability further highlights the potential risks associated with proprietary protocols in industrial environments.
In response to these findings, Honeywell has updated the Virtual UOC to address the identified vulnerabilities. The Cybersecurity Infrastructure & Security Agency (CISA) has also published an advisory urging users to update their systems to the latest versions to mitigate the risks. Honeywell’s swift action in addressing these vulnerabilities is commendable, but the incident is a stark reminder of the importance of robust security measures in industrial control systems. The discovery of these vulnerabilities in Honeywell’s Virtual UOC underscores the critical need for continuous security assessments and updates in industrial environments. As proprietary protocols like EpicMo are integral to the operation of ICS, ensuring their security is paramount to protecting industrial processes from potential manipulation or disruption. Honeywell’s Virtual UOC users are strongly advised to update their systems and remain vigilant against potential threats.
Reference:
