6.8 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
6.7 Medium
AI Score
Confidence
High
0.676 Medium
EPSS
Percentile
98.0%
This updated advisory is a follow-up to the original advisory titled ICSA-13-053-02โHoneywell Enterprise Buildings Integrator (EBI), SymmetrE, and ComfortPoint Open Manager Station that was published February 22, 2013, on the ICS-CERT Web page.
This advisory provides mitigation details for a vulnerability that impacts the Honeywell EBI.
Independent researcher Juan Vazquez of Rapid7 privately disclosed an ActiveX vulnerability in the Honeywell EBI, SymmetrE, and ComfortPoint Open Manager (CPO-M) Station, and HMIWeb Browser client packages. Honeywell has produced an update that mitigates this vulnerability. Rapid7 has tested the update to validate that it resolves the vulnerability. Exploitation of this vulnerability could allow partial loss of availability, integrity, and confidentiality. This vulnerability could affect systems deployed in the government facilities and commercial facilities sectors. This vulnerability could be exploited remotely.
Rapid7 has released a Metasploit module for this vulnerability. Honeywell is coordinating with Microsoft to release a kill bit for this vulnerability in a Microsoft Patch Tuesday security update.
Honeywell reports that the vulnerability affects the following product versions:
Successfully exploiting this vulnerability may allow an attacker to execute code of the attackerโs choice on an EBI client or EBI system and possibly affect the availability of the system.
Impact to individual organizations depends on many factors that are unique to each organization. ICS-CERT recommends that organizations evaluate the impact of this vulnerability based on their operational environment, architecture, and product implementation.
Honeywell is a US-based company that maintains offices worldwide.
The Honeywell EBI, SymmetrE, and ComfortPoint Open Manager platforms integrate different systems and devices such as heating, ventilation, and air conditioning (HVAC) controls; security; access control; life safety; lighting; energy management; and facilities management into a common platform.
The platforms are typically managed and controlled by dedicated Station-based clients on secured, isolated building control, security or life safety networks. Noncritical applications can be installed on customer-based enterprise networks and can use the optional Web browser interface.
The vulnerability could allow remote attackers to execute arbitrary code via a specially crafted HTML document. The attacker would require an end-user or operator to voluntarily interact with the attack mechanism for it to be successful. For example, the attacker could send an email message to the end-user, containing a link to a Web site with the specially crafted HTML document.
CVE-2013-0108NVD, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0108, NIST uses this advisory to create the CVE Web site report. This Web site will be active sometime after publication of this advisory. has been assigned to this vulnerability. A CVSS v2 base score of 6.8 has been assigned; the CVSS vector string is (AV:N/AC:M/Au:N/C:P/I:P/A:P).CVSS Calculator, http://nvd.nist.gov/cvss.cfm?version=2&vector=(AV:N/AC:M/Au:N/C:P/I:P/A:P), Web site last visited February 22, 2013.
This vulnerability could be exploited remotely.
There is a publicly available Metasploit module for this vulnerability.
An attacker with a medium skill would be able to exploit this vulnerability. Social engineering is required to convince the user to visit the malicious site. This decreases the likelihood of a successful exploit.
Honeywell recommends disabling HscRemoteDeploy.dll from any client or server computers on affected systems. This DLL is not used for any runtime functions and is only required to simplify the installation or upgrade of the HMIWeb Browser client.
Honeywell has created a Station Security Update package that disables the DLL. It should be run on the EBI servers, all Station client PCs, and any PCs that have used the HMIWeb Browser client. Honeywell recommends asset owners contact their local HBS service representative as this update should only be performed by a qualified, trained resource.
Honeywell has requested that Microsoft issue a kill bit for the HscRemoteDeploy.dll in a future monthly Microsoft Windows security update. This will also automatically disable the DLL on any affected system that is using the Windows Update feature in the listed Honeywell products.
Honeywell EBI, SymmetrE, and CPO-M users can find more information in Honeywellโs Bulletin CSA-2013-0131-01 or Product Bulletin 581 on the EBI support website.Honeywell Enterprise Buildings Integrator, https://buildingsolutions.honeywell.com/Cultures/en-US/ServicesSolutions/BuildingManagementSystems/EnterpriseBuildingsIntegrator/, (login required), Web site last visited February 22, 2013.
ICS-CERT encourages asset owners to take additional defensive measures to protect against this and other cybersecurity risks.
ICS-CERT also provides a section for control systems security recommended practices on the US-CERT Web page. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. ICS-CERT reminds organizations to perform proper impact analysis and risk assessment prior to taking defensive measures.
Additional mitigation guidance and recommended practices are publicly available in the ICS-CERT Technical Information Paper, ICS-TIP-12-146-01BโTargeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to ICS-CERT for tracking and correlation against other incidents.
In addition, ICS-CERT recommends that users take the following measures to protect themselves from social engineering attacks.
public.govdelivery.com/accounts/USDHSCISA/subscriber/new?topic_id=USDHSCISA_138
twitter.com/CISAgov
twitter.com/intent/tweet?text=Honeywell%20EBI%2C%20SymmetrE%2C%20and%20ComfortPoint%20Open%20Manager%20Station%20%28Update%20A%29+https://www.cisa.gov/news-events/ics-advisories/icsa-13-053-02a
www.dhs.gov
www.dhs.gov/foia
www.dhs.gov/performance-financial-reports
www.facebook.com/CISA
www.facebook.com/sharer/sharer.php?u=https://www.cisa.gov/news-events/ics-advisories/icsa-13-053-02a&title=Honeywell%20EBI%2C%20SymmetrE%2C%20and%20ComfortPoint%20Open%20Manager%20Station%20%28Update%20A%29
www.instagram.com/cisagov
www.linkedin.com/company/cybersecurity-and-infrastructure-security-agency
www.linkedin.com/sharing/share-offsite/?url=https://www.cisa.gov/news-events/ics-advisories/icsa-13-053-02a
www.oig.dhs.gov/
www.surveymonkey.com/r/CISA-cyber-survey?product=https://www.cisa.gov/news-events/ics-advisories/icsa-13-053-02a
www.usa.gov/
www.whitehouse.gov/
www.youtube.com/@cisagov
mailto:?subject=Honeywell%20EBI%2C%20SymmetrE%2C%20and%20ComfortPoint%20Open%20Manager%20Station%20%28Update%20A%29&body=www.cisa.gov/news-events/ics-advisories/icsa-13-053-02a