Honeywell XL Web II Controller Vulnerabilities

Plan PatchCVSS 8.6ICS-CERT ICSA-17-033-01Feb 2, 2017

Honeywell

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Multiple vulnerabilities have been identified in Honeywell's XL Web II controller application. These vulnerabilities include weak credential storage, session management flaws, and insufficient access controls that could allow an attacker without credentials to read sensitive information such as configuration data and credentials, or to modify device settings. Affected versions are XLWeb 500 XLWebExe 1-02-08 and earlier, and XL1000C500 XLWebExe 2-01-00 and earlier. The vulnerabilities exist in the web interface used for remote device administration and configuration.

What this means

What could happen

An attacker could gain unauthorized access to the XL Web II controller, read sensitive engineering data or credentials, and potentially modify device configuration or operational parameters without requiring valid credentials.

Who's at risk

Organizations operating heating, ventilation, and air conditioning (HVAC) systems, building automation systems, and other industrial processes that use Honeywell XL Web II controllers for networked monitoring and control. This affects both XLWeb 500 and XL1000C500 series controllers.

How it could be exploited

An attacker with network access to the web interface could send specially crafted requests that bypass authentication, access files containing credentials or sensitive configuration data, or send commands to modify controller settings. No valid credentials are required to exploit these flaws.

Prerequisites

Network access to the XL Web II controller web interface (typically HTTP/HTTPS port 80 or 443)
Honeywell XLWeb 500 XLWebExe version 1-02-08 or earlier, or XL1000C500 XLWebExe version 2-01-00 or earlier

remotely exploitableno authentication requiredlow complexityno patch availableaffects automated control systems

Exploitability

Some exploitation risk — EPSS score 3.2%

Affected products (2)

2 EOL

ProductAffected VersionsFix Status

XLWeb 500 XLWebExe: 1-02-08 and prior≤ 1-02-08No fix (EOL)

XL1000C500 XLWebExe: 2-01-00 and prior≤ 2-01-00No fix (EOL)

Remediation & Mitigation

0/5

Do now

0/2

WORKAROUNDRestrict network access to the XL Web II web interface using firewall rules to allow only trusted engineering and operator workstations

HARDENINGChange any default credentials configured on the XL Web II controller

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade to the latest patched version of XL Web II firmware released by Honeywell

Mitigations - no patch available

0/2

The following products have reached End of Life with no planned fix: XLWeb 500 XLWebExe: 1-02-08 and prior, XL1000C500 XLWebExe: 2-01-00 and prior. Apply the following compensating controls:

HARDENINGPlace XL Web II controllers on a separate industrial control network segment isolated from business IT networks and the Internet

HARDENINGMonitor access logs for the XL Web II web interface for unauthorized connection attempts

CVEs (5)

CVE-2017-5139 CVE-2017-5140 CVE-2017-5141 CVE-2017-5142 CVE-2017-5143

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/1e6ad3ab-ccef-46a1-86ae-921f68c88e1d

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.