Honeywell FALCON XLWeb Controllers Vulnerabilities

Low RiskICS-CERT ICSA-14-175-01Mar 27, 2014

Summary

Honeywell FALCON XLWeb Controllers contain insecure permissions (CWE-552) and cross-site scripting (CWE-79) vulnerabilities. FALCON Linux up to version 2.04.01 and FALCON XLWebExe up to version 2.02.11 are affected. These vulnerabilities allow attackers to access sensitive files with improper permissions and inject malicious scripts into web interfaces.

What this means

What could happen

An attacker could read sensitive configuration files or inject malicious code into the web management interface, potentially allowing unauthorized access or manipulation of controller settings that govern industrial processes.

Who's at risk

Water utilities and electric utilities operating Honeywell FALCON XLWeb Controllers for supervisory and process control should assess their exposure. FALCON Linux and FALCON XLWebExe platforms managing critical infrastructure automation are affected.

How it could be exploited

An attacker with network access to the FALCON XLWeb controller's web interface could exploit insecure file permissions to read sensitive configuration files, or inject JavaScript code that executes in the browsers of administrators accessing the web console, allowing credential theft or unauthorized configuration changes.

Prerequisites

Network access to the FALCON controller's web interface (typically HTTP/HTTPS port)

No patch available (end-of-life products)Remotely exploitableAffects process control systems

Exploitability

Moderate exploit probability (EPSS 2.4%)

Affected products (2)

2 EOL

ProductAffected VersionsFix Status

FALCON Linux: <=2.04.01≤ 2.04.01No fix (EOL)

FALCON XLWebExe: <=2.02.11≤ 2.02.11No fix (EOL)

Remediation & Mitigation

0/4

Do now

0/3

HARDENINGImplement network segmentation to restrict access to the FALCON web interface to authorized engineering workstations only. Use a firewall to block unsolicited traffic to the web management ports.

WORKAROUNDDisable the FALCON web interface if not required for normal operations. Use serial or local management connections instead.

HARDENINGIf the web interface must remain enabled, deploy a reverse proxy or VPN to add an additional authentication layer in front of the controller.

Mitigations - no patch available

0/1

The following products have reached End of Life with no planned fix: FALCON Linux: <=2.04.01, FALCON XLWebExe: <=2.02.11. Apply the following compensating controls:

HARDENINGEvaluate migration to newer Honeywell control platforms that receive security updates. FALCON Linux and FALCON XLWebExe are no longer actively patched.

CVEs (2)

CVE-2014-2717 CVE-2014-3110

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/20d81609-bf87-4ba7-8b8c-aa89d78f89db