Honeywell Experion PKS, Experion LX, PlantCruise by Experion, Safety Manager, Safety Manager SC

Act Now9.1ICS-CERT ICSA-24-116-04Apr 25, 2024

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Multiple memory safety and input validation vulnerabilities exist in Honeywell Experion PKS, Experion LX, PlantCruise by Experion, Safety Manager, and Safety Manager SC systems. Affected versions include Experion PKS releases prior to R510.2_HF14, R511.5_TCU4_HF4, R520.1_TCU5, and R520.2_TCU4_HF2; Experion LX releases prior to R511.5_TCU4_HF4, R520.1_TCU5, and R520.2_TCU4_HF2; PlantCruise by Experion releases prior to R511.5_TCU4_HF4, R520.1_TCU5, and R520.2_TCU4_HF2; Safety Manager versions R15x and R16x through R162.10; and Safety Manager SC versions R210.X, R211.1, R211.2, and R212.1. The vulnerabilities are related to buffer overflows (CWE-121, CWE-122, CWE-787), out-of-bounds access (CWE-805, CWE-119, CWE-1327, CWE-130), improper input validation (CWE-20), unsafe pointer operations (CWE-749), and path traversal (CWE-36). Successful exploitation could lead to sensitive information disclosure, privilege escalation, or arbitrary code execution on the control system.

What this means

What could happen

An attacker could gain unauthorized access to process control data, escalate privileges on the system, or execute arbitrary commands on affected Honeywell process control servers and safety management systems, potentially disrupting refining, petrochemical, power generation, or chemical plant operations.

Who's at risk

Refining, petrochemical, power generation, chemical manufacturing, and pharmaceutical plants using Honeywell Experion PKS (Process Knowledge System), Experion LX, PlantCruise by Experion, or Safety Manager control systems. All versions of these systems through the specified hotfix/release levels are affected.

How it could be exploited

An attacker on the network can send specially crafted requests to the affected Honeywell control system server (Experion PKS, Experion LX, PlantCruise, or Safety Manager). The vulnerability allows the attacker to bypass authentication checks and memory bounds, leading to information disclosure, privilege escalation, or remote code execution on the server without requiring valid credentials or user interaction.

Prerequisites

Network access to the Honeywell Experion or Safety Manager system port (typically network-reachable from the control network)
No authentication required

remotely exploitableno authentication requiredlow complexityhigh CVSS (9.1)affects safety systemsno patch currently available for most versionsmultiple vulnerability classes including buffer overflows and memory safety

Exploitability

Moderate exploit probability (EPSS 1.6%)

Affected products (16)

16 EOL

ProductAffected VersionsFix Status

Experion PKS: <R510.2_HF14<R510.2 HF14No fix (EOL)

Experion LX: <R511.5_TCU4_HF4<R511.5 TCU4 HF4No fix (EOL)

PlantCruise by Experion: <R511.5_TCU4_HF4<R511.5 TCU4 HF4No fix (EOL)

Safety Manager: R15xR15xNo fix (EOL)

Safety Manager: >=R16x|<=R162.10≥ R16x|≤ R162.10No fix (EOL)

Remediation & Mitigation

0/5

Do now

0/2

HOTFIXContact Honeywell to obtain and deploy patched versions referenced in official CVE records and Honeywell Security Notices for your specific product version

WORKAROUNDRestrict network access to Experion PKS, Experion LX, PlantCruise, and Safety Manager systems using firewall rules; allow only authorized workstations and control devices to reach these systems

Mitigations - no patch available

0/3

The following products have reached End of Life with no planned fix: Experion PKS: <R510.2_HF14, Experion LX: <R511.5_TCU4_HF4, PlantCruise by Experion: <R511.5_TCU4_HF4, Safety Manager: R15x, Safety Manager: >=R16x|<=R162.10, Safety Manager SC: R210.X, Experion PKS: <R511.5_TCU4_HF4, Experion PKS: <R520.1_TCU5, Experion PKS: <R520.2_TCU4_HF2, Experion LX: <R520.1_TCU5, Experion LX: <R520.2_TCU4_HF2, PlantCruise by Experion: <R520.1_TCU5, PlantCruise by Experion: <R520.2_TCU4_HF2, Safety Manager SC: R211.1, Safety Manager SC: R211.2, Safety Manager SC: R212.1. Apply the following compensating controls:

HARDENINGImplement network segmentation by placing all Honeywell Experion and Safety Manager systems behind firewalls and isolating them from business networks and the Internet

HARDENINGIf remote access to these systems is required, use VPN with current security patches and multi-factor authentication; restrict VPN access to minimized user group

HARDENINGApply the principle of least privilege: ensure users and service accounts have only the minimum permissions needed for their role on Experion and Safety Manager systems

CVEs (16)

CVE-2023-5389 CVE-2023-5390 CVE-2023-5407 CVE-2023-5392 CVE-2023-5406 CVE-2023-5405 CVE-2023-5400 CVE-2023-5404 CVE-2023-5395 CVE-2023-5401 CVE-2023-5403 CVE-2023-5398 CVE-2023-5397 CVE-2023-5396 CVE-2023-5394 CVE-2023-5393

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/d87645ed-7b64-47da-b818-4f146043b6cb