(I)IoT Security News
ICS, News, Vulnerabilities

Honeywell ControlEdge PLC and RTU

Honeywell ControlEdge PLC and RTU

1. EXECUTIVE SUMMARY

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to obtain passwords and session tokens.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of ControlEdge PLC and RTU, are affected:

3.2 VULNERABILITY OVERVIEW

3.2.1    CLEARTEXT TRANSMISSION OF SENSITIVE INFORMATION CWE-319

The affected device exposes unencrypted passwords on the network.

CVE-2020-10628 has been assigned to this vulnerability. A CVSS v3 base score of 5.9 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N).

3.2.2    CLEARTEXT TRANSMISSION OF SENSITIVE INFORMATION CWE-319

The affected product exposes a session token on the network.

CVE-2020-10624 has been assigned to this vulnerability. A CVSS v3 base score of 5.9 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N).

3.3 BACKGROUND

3.4 RESEARCHER

Nikolay Sklyarenko of Kaspersky reported these vulnerabilities to Honeywell.

4. MITIGATIONS

Honeywell provided detailed information for mitigation on the insecure communication in Control Edge PLC\RTU. Please access the support document SN2020-04-17-01-ConotrolEdge-PLC-and- and-RTU-Secure-Communication (login required). Download this document and follow the step by step instructions. The user must be logged in to access the security notification.

Users who have difficulty accessing the document can contact Honeywell support.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on us-cert.gov. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage on us-cert.gov in the Technical Information Paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents.

No known public exploits specifically target these vulnerabilities.

Source:

https://us-cert.cisa.gov/ics/advisories/icsa-20-175-02

Related posts

Schneider Electric Security Notification Trio™ Licensed and License-free Data RadiosSchneider Electric Security Notification

(I) IoT
7 months ago

Advantech DiagAnywhere Server

(I) IoT
5 years ago

Grundfos CIM 500

(I) IoT
4 years ago
Exit mobile version