Honeywell Uniformance PHD Denial Of Service (Update A)

MonitorCVSS 7.5ICS-CERT ICSA-16-070-02ADec 12, 2016

Honeywell

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Honeywell Uniformance PHD versions R310.1.1.2, R320.1.0.2, and R321.1.1 contain a stack buffer overflow vulnerability (CWE-121) that allows a remote, unauthenticated attacker to crash the PHD server process. The vulnerability can be triggered by sending a specially crafted network message to the PHD server. When exploited, the server becomes unresponsive, denying access to historian data and potentially disrupting any control logic or monitoring systems that depend on real-time historian queries. No vendor patch is available for any affected version.

What this means

What could happen

An attacker with network access could cause the Uniformance PHD data historian to become unresponsive, interrupting the collection and retrieval of critical process data used for monitoring and control decisions in water and electric utilities.

Who's at risk

Water utilities and municipal electric utilities that rely on Honeywell Uniformance PHD for real-time historian services. This includes any operations using PHD to store and retrieve process data such as SCADA measurements, generator status, pump flow rates, or water quality parameters. Operations personnel should prioritize this if PHD data is used for decision-making or alarming.

How it could be exploited

An attacker on the network sends a specially crafted message to the PHD server on its listening port. The message triggers a stack buffer overflow (CWE-121) that crashes the process, denying availability of the historian.

Prerequisites

Network access to the Uniformance PHD server port (typically 11001 or similar)
No credentials required

remotely exploitableno authentication requiredlow complexityno patch availableaffects historian availability

Exploitability

Unlikely to be exploited — EPSS score 0.4%

Affected products (3)

3 EOL

ProductAffected VersionsFix Status

Uniformance PHD: <R310.1.1.2<R310.1.1.2No fix (EOL)

Uniformance PHD: <R320.1.0.2<R320.1.0.2No fix (EOL)

Uniformance PHD: <R321.1.1<R321.1.1No fix (EOL)

Remediation & Mitigation

0/4

Do now

0/2

HARDENINGImplement network segmentation to restrict access to the PHD server from trusted engineering workstations and SCADA networks only

HARDENINGDeploy a firewall rule or access control list to allow only legitimate client connections to the PHD server port

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HARDENINGMonitor PHD server process for unexpected crashes or restarts and log connection attempts from unexpected sources

Mitigations - no patch available

0/1

The following products have reached End of Life with no planned fix: Uniformance PHD: <R310.1.1.2, Uniformance PHD: <R320.1.0.2, Uniformance PHD: <R321.1.1. Apply the following compensating controls:

HARDENINGEvaluate upgrade or replacement options for Uniformance PHD since no vendor patch is available for any affected version

CVEs (1)

CVE-2016-2280

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/de4156f9-26fc-4844-8430-a3fd09ad583a

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.