Host Engineering H2-ECOM100 Module

Monitor7.5ICS-CERT ICSA-20-345-02Dec 10, 2020

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

The H2-ECOM100 Module contains an input validation vulnerability in its web server. Successful exploitation causes a denial-of-service condition, rendering the device unresponsive until manually restarted. Affected firmware versions include H4-ECOM100 Module (firmware <= 4.0.2148) and Hardware versions <= 5.0.1043, 5.0.149, 4.1.113, 4.0.2148, or 4.0.348. No fix is currently available from Host Engineering.

What this means

What could happen

An attacker could send malformed input to the H2-ECOM100 web server, causing the device to stop responding and forcing a manual restart. This interrupts communication between your PLCs and remote monitoring systems until the device is brought back online.

Who's at risk

Water authorities and electric utilities using Host Engineering H2-ECOM100 modules for PLC communication and remote monitoring should assess their exposure. These modules are commonly used in SCADA systems to bridge engineering workstations and remote sites to industrial controllers.

How it could be exploited

An attacker with network access to the H2-ECOM100 module's web server (typically port 80 or 443) sends specially crafted HTTP requests that trigger invalid input handling in the web server code. The device becomes unresponsive and requires manual power cycle or restart to recover.

Prerequisites

Network access to the H2-ECOM100 web server port (typically port 80/443)
No authentication required

remotely exploitableno authentication requiredlow complexityhigh availability impact (denial of service)no patch available

Exploitability

Low exploit probability (EPSS 0.2%)

Affected products (2)

2 EOL

ProductAffected VersionsFix Status

H4-ECOM100 Module: Firmware≤ 4.0.2148No fix (EOL)

Hardware≤ 5.0.1043; ≤ 5.0.149; ≤ 4.1.113; ≤ 4.0.2148; ≤ 4.0.348No fix (EOL)

Remediation & Mitigation

0/6

Do now

0/2

WORKAROUNDDisable the web server on the H2-ECOM100 module if the device does not require remote web access

HARDENINGRestrict network access to the H2-ECOM100 module from the Internet and untrusted networks using firewall rules

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

Hardware

HOTFIXUpdate Hardware to version newer than 5.0.1043, 5.0.149, 4.1.113, or 4.0.348 (depending on your hardware version) using Host Engineering update process

All products

HOTFIXUpdate H4-ECOM100 Module firmware using Live Update feature in NetEdit3 software to version newer than 4.0.2148

Mitigations - no patch available

0/2

The following products have reached End of Life with no planned fix: H4-ECOM100 Module: Firmware, Hardware. Apply the following compensating controls:

HARDENINGSegment the device behind a firewall and isolate it from the business network

HARDENINGIf remote access is required, use a VPN with the most current version available and ensure connected devices are patched

CVEs (1)

CVE-2020-25195

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/4cfc1bcc-e6f3-4705-a6b2-085b3cbd8829