Honeywell Experion PKS Vulnerabilities

Low RiskICS-CERT ICSA-14-352-01Sep 20, 2014

Summary

Honeywell Experion PKS contains multiple memory safety vulnerabilities (buffer overflows, out-of-bounds read/write) and code injection flaws in versions R400, R410, and R430. These vulnerabilities allow unauthenticated remote code execution on the platform, potentially enabling attackers to compromise the integrity and availability of supervisory control and process monitoring functions. The vulnerabilities were assigned CWEs 122, 121, 123 (buffer/out-of-bounds issues), CWE-22 (path traversal), and CWE-98 (code injection). No patches are currently available from the vendor.

What this means

What could happen

An attacker with network access to the Experion PKS could exploit memory safety vulnerabilities to execute arbitrary code on the platform, potentially allowing them to alter process setpoints, disable safety interlocks, or shut down critical operations in water treatment, power generation, or other networked industrial facilities.

Who's at risk

Water utilities, power generation facilities, and other critical infrastructure operators using Honeywell Experion PKS (Process Knowledge System) versions R400, R410, or R430 for supervisory control and monitoring are affected. This platform is widely deployed in distributed control system architectures where it serves as the central supervisory and data acquisition layer.

How it could be exploited

An attacker sends a specially crafted request (via buffer overflow, out-of-bounds read/write, or code injection) to the Experion PKS over the network. The vulnerability in the platform's message handling allows the attacker to overwrite memory and inject code that executes with the privileges of the affected service, giving them control over the control system logic and setpoints.

Prerequisites

Network access to Experion PKS platform on vulnerable versions
No authentication required to exploit the vulnerability
Attacker must craft payload matching specific memory layout of target version

Remotely exploitableNo authentication requiredMemory safety vulnerabilities (CWE-121, CWE-122, CWE-123)Path traversal possible (CWE-22)Code injection possible (CWE-98)No patch available for affected versionsAffects critical supervisory control platform

Exploitability

Moderate exploit probability (EPSS 2.2%)

Affected products (3)

3 EOL

ProductAffected VersionsFix Status

Experion PKS R40x: <Experion_PKS_R400.6<Experion PKS R400.6No fix (EOL)

Experion PKS R41x: <Experion_PKS_R410.6<Experion PKS R410.6No fix (EOL)

Experion PKS R43x: <Experion_PKS_R430.2<Experion PKS R430.2No fix (EOL)

Remediation & Mitigation

0/4

Do now

0/3

HARDENINGImplement network segmentation to isolate Experion PKS systems from untrusted networks. Use firewalls and access controls to restrict inbound connections to only authorized engineering workstations and supervisory systems.

WORKAROUNDMonitor all network traffic to and from Experion PKS systems for signs of exploitation attempts. Alert on unexpected connection patterns, malformed requests, or suspicious process execution.

HARDENINGMaintain an inventory of all Experion PKS installations and their current firmware versions to enable rapid patching once fixes are released.

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade Experion PKS systems to fixed versions when available. Plan and schedule maintenance windows to apply patches to R40x, R41x, and R43x installations as vendor releases them.

CVEs (5)

CVE-2014-9186 CVE-2014-9187 CVE-2014-9189 CVE-2014-5435 CVE-2014-5436

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/2de3a91f-859e-446d-94bc-232ab1ccb94c