Honeywell Experion PKS and ACE Controllers Unrestricted Upload of File with Dangerous Type (CVE-2021-38397)

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(500791);
  script_version("1.5");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/03/04");

  script_cve_id("CVE-2021-38397");

  script_name(english:"Honeywell Experion PKS and ACE Controllers Unrestricted Upload of File with Dangerous Type (CVE-2021-38397)");

  script_set_attribute(attribute:"synopsis", value:
"The remote OT asset is affected by a vulnerability.");
  script_set_attribute(attribute:"description", value:
"Honeywell Experion PKS C200, C200E, C300, and ACE controllers are
vulnerable to unrestricted file uploads, which may allow an attacker
to remotely execute arbitrary code and cause a denial-of-service
condition.

This plugin only works with Tenable.ot.
Please visit https://www.tenable.com/products/tenable-ot for more information.");
  # https://www.honeywellprocess.com/library/support/notifications/Customer/SN2021-02-22-01-Experion-C300-CCL.pdf
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?04c83b01");
  script_set_attribute(attribute:"see_also", value:"https://www.cisa.gov/uscert/ics/advisories/icsa-21-278-04");
  script_set_attribute(attribute:"solution", value:
"The following text was originally created by the Cybersecurity and Infrastructure Security Agency (CISA). The original
can be found at CISA.gov.

Honeywell recommends users follow all guidance in the Experion Network and Security Planning Guide to prevent attacks by
malicious actors.

Additional information can be found in Honeywell Support document SN2021-02-22-01.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2021-38397");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");
  script_cwe_id(434);

  script_set_attribute(attribute:"vuln_publication_date", value:"2022/10/28");
  script_set_attribute(attribute:"patch_publication_date", value:"2022/10/28");
  script_set_attribute(attribute:"plugin_publication_date", value:"2023/02/01");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:honeywell:c200_firmware:-");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:honeywell:c200e_firmware:-");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:honeywell:c300_firmware:-");
  script_set_attribute(attribute:"generated_plugin", value:"former");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Tenable.ot");

  script_copyright(english:"This script is Copyright (C) 2023-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("tenable_ot_api_integration.nasl");
  script_require_keys("Tenable.ot/Honeywell");

  exit(0);
}


include('tenable_ot_cve_funcs.inc');

get_kb_item_or_exit('Tenable.ot/Honeywell');

var asset = tenable_ot::assets::get(vendor:'Honeywell');

var vuln_cpes = {
    "cpe:/o:honeywell:c200_controller_firmware:-" :
        {"family" : "HoneywellExperion"},
    "cpe:/o:honeywell:c200e_controller_firmware:-" :
        {"family" : "HoneywellExperion"},
    "cpe:/o:honeywell:c300_controller_firmware:-" :
        {"family" : "HoneywellExperion"}
};

tenable_ot::cve::compare_and_report(asset:asset, cpes:vuln_cpes, severity:SECURITY_HOLE);