Honeywell Uniformance PHD Denial Of Service (Update A)
Monitor7.5ICS-CERT ICSA-16-070-02ADec 12, 2016
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
Honeywell Uniformance PHD versions R310.1.1.2, R320.1.0.2, and R321.1.1 contain a stack buffer overflow vulnerability (CWE-121) that allows a remote, unauthenticated attacker to crash the PHD server process. The vulnerability can be triggered by sending a specially crafted network message to the PHD server. When exploited, the server becomes unresponsive, denying access to historian data and potentially disrupting any control logic or monitoring systems that depend on real-time historian queries. No vendor patch is available for any affected version.
What this means
What could happen
An attacker with network access could cause the Uniformance PHD data historian to become unresponsive, interrupting the collection and retrieval of critical process data used for monitoring and control decisions in water and electric utilities.
Who's at risk
Water utilities and municipal electric utilities that rely on Honeywell Uniformance PHD for real-time historian services. This includes any operations using PHD to store and retrieve process data such as SCADA measurements, generator status, pump flow rates, or water quality parameters. Operations personnel should prioritize this if PHD data is used for decision-making or alarming.
How it could be exploited
An attacker on the network sends a specially crafted message to the PHD server on its listening port. The message triggers a stack buffer overflow (CWE-121) that crashes the process, denying availability of the historian.
Prerequisites
- Network access to the Uniformance PHD server port (typically 11001 or similar)
- No credentials required
remotely exploitableno authentication requiredlow complexityno patch availableaffects historian availability
Exploitability
Low exploit probability (EPSS 0.4%)
Affected products (3)
3 EOL
ProductAffected VersionsFix Status
Uniformance PHD: <R310.1.1.2<R310.1.1.2No fix (EOL)
Uniformance PHD: <R320.1.0.2<R320.1.0.2No fix (EOL)
Uniformance PHD: <R321.1.1<R321.1.1No fix (EOL)
Remediation & Mitigation
0/4
Do now
0/2HARDENINGImplement network segmentation to restrict access to the PHD server from trusted engineering workstations and SCADA networks only
HARDENINGDeploy a firewall rule or access control list to allow only legitimate client connections to the PHD server port
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HARDENINGMonitor PHD server process for unexpected crashes or restarts and log connection attempts from unexpected sources
Mitigations - no patch available
0/1The following products have reached End of Life with no planned fix: Uniformance PHD: <R310.1.1.2, Uniformance PHD: <R320.1.0.2, Uniformance PHD: <R321.1.1. Apply the following compensating controls:
HARDENINGEvaluate upgrade or replacement options for Uniformance PHD since no vendor patch is available for any affected version
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/de4156f9-26fc-4844-8430-a3fd09ad583a