%20(1).webp "Security Flaws in Honeywell VirtualUOC Can Allow Remote Code Execution")
Team82 uncovered critical vulnerabilities in Honeywell’s ControlEdge Virtual Unit Operations Center (UOC), which has raised concerns about the security of industrial control systems (ICS). The vulnerabilities were found within the EpicMo protocol implementation, allowing potential attackers to execute remote code without authentication.
Honeywell’s proprietary communication protocol, EpicMo, is utilized to debug and diagnose Honeywell controllers. Operating over TCP port 55565, the protocol includes various function codes like ReadMemory, WriteMemory, Reboot, and ReadCrashBlock. However, Team82’s research revealed undocumented functions within the protocol that could be exploited to write files on Virtual UOC controllers without proper sanitation.
One of the most critical vulnerabilities identified is CVE-2023-5389, stemming from the LoadFileToModule function within the EpicMo protocol. This function enables users to write files to the controller without proper validation, potentially leading to remote code execution. Exploiting this vulnerability requires sending a series of packets to the controller to initiate the file write, followed by data packets, and concluding with a final command to signal the end of the upload.
By overwriting a system-shared object file with a malicious payload, an attacker could achieve code execution upon the controller’s reboot. Another vulnerability, CVE-2023-5390, was also identified in the EpicMo protocol, with fewer specific details but a moderate severity score of 5.3 in the CVSS v3 rating. These vulnerabilities underscore the risks associated with proprietary protocols in industrial environments.
In response to these findings, Honeywell has updated the Virtual UOC to address the vulnerabilities, and the Cybersecurity Infrastructure & Security Agency (CISA) has issued an advisory urging users to update to the latest versions. While Honeywell’s swift action is commendable, it serves as a reminder of the critical importance of robust security measures in industrial control systems.
The discovery of vulnerabilities in the Virtual UOC emphasizes the need for continuous security assessments and updates in industrial environments. As proprietary protocols like EpicMo are crucial for the operation of ICS, ensuring their security is vital to safeguard industrial processes from manipulation or disruption. Users of Honeywell’s Virtual UOC are advised to update their systems promptly and remain vigilant against potential threats.
Overall, the vulnerabilities found in Honeywell’s ControlEdge Virtual UOC highlight the ongoing challenges in securing industrial control systems and reinforce the need for strong cybersecurity practices in critical infrastructure. Continuous monitoring, timely updates, and user awareness play crucial roles in mitigating the risks posed by such vulnerabilities and protecting industrial operations from potential cyber threats.