Honeywell HscRemoteDeploy.dll ActiveX Control vulnerability

2013-04-19T00:00:00
ID SAINT:0DFA1CE1A942D56FF2D56E520988342E
Type saint
Reporter SAINT Corporation
Modified 2013-04-19T00:00:00

Description

Added: 04/19/2013
CVE: CVE-2013-0108
BID: 58134
OSVDB: 90583

Background

Honeywell offers software solutions which integrate different systems and devices such as HVAC, security, safety, lighting, and energy into a common platform.

Problem

A vulnerability in multiple Honeywell products allows command execution when a user loads a malicious web page which calls the HscRemoteDeploy.dll ActiveX control with specially crafted parameters.

Resolution

Contact Honeywell for an update.

References

<http://ics-cert.us-cert.gov/pdf/ICSA-13-053-02A.pdf>

Limitations

Exploit works on Honeywell HSCRemoteDeploy ActiveX 5.7.170.410 on Windows XP SP3 English (DEP OptIn) and Windows 7 SP1 (DEP OptIn) and requires a user to open the exploit page in Internet Explorer 8 or 9.

Platforms

Windows