CISA (Cybersecurity & Infrastructure Security Agency) has shared an ICS (Industrial Control Systems) advisory regarding several vulnerabilities present in Honeywell products, including Experion PKS, Experion LX, PlantCruise by Experion, Safety Manager, and Safety Manager SC. The advisory outlines multiple vulnerabilities which could lead to remote code execution, privilege escalation, and sensitive information disclosure. The Honeywell product vulnerabilities are described as affecting the chemical, critical manufacturing, energy, water and wastewater systems critical-infrastructure industries worldwide. Honeywell has released updates addressing these vulnerabilities, and CISA advises users to upgrade to the recommended versions to mitigate risks.

CISA-Listed Honeywell Product Vulnerabilities of High Severity

The ICS (Industrial Control Systems) Advisory listed vulnerabilities of varying types of medium to high severity: Exposed Dangerous Method or Function (CWE-749): CVE-2023-5389 (CVSS v4 Base Score: 8.8) could be exploited to allow attackers to modify files on Experion controllers or SMSC S300, potentially leading to unexpected behavior or execution of malicious applications. Absolute Path Traversal (CWE-36): CVE-2023-5390 (CVSS v4 Base Score: 6.9) allows attackers to read files from Experion controllers or SMSC S300, exposing limited information from the device. Stack-based Buffer Overflow (CWE-121): CVE-2023-5407 (CVSS v4 Base Score: 8.3) could enable attackers to induce denial-of-service conditions or perform remote code execution on Experion controllers, ControlEdge PLC, Safety Manager, or SMSC S300 through crafted messages. CVE-2023-5395, CVE-2023-5401 and CVE-2023-5403 (CVSS v4 Base Score: 9.2) could be used for similar attacks on Experion Servers and Stations. Binding to an Unrestricted IP Address (CWE-1327): CVE-2023-5398 (CVSS v4 Base Score: 8.7) in Experion Servers or Stations could attackers attacker to induce a denial-of-service condition using specially crafted messages over the host network. Debug Messages Revealing Unnecessary Information (CWE-1295): CVE-2023-5392 (CVSS v4 Base Score: 8.7) could be exploited to allow for further extraction of information than required from memory over the network. Out-of-bounds Write (CWE-787): CVE-2023-5406 (CVSS v4 Base Score: 8.2) could lead to attacker controlled manipulation of messages from controllers for denial-of-service or remote code execution over host networks. CVE-2023-5405 (CVSS v4 Base Score: 6.9) exploitation of this vulnerability in Experion Servers or Stations could result in information leaks during error generation. Heap-based Buffer Overflow (CWE-122): CVE-2023-5400, CVE-2023-5404 (CVSS v4 Base Score: 9.2) both vulnerabilities present in Experion Servers or Stations, could allow for denial-of-service attacks or remote code execution via crafted messages. Improper Input Validation (CWE-20): CVE-2023-5397 (CVSS v4 Base Score: 9.2) enables denial-of-service or remote code execution via specially crafted messages. Buffer Access with Incorrect Length Value (CWE-805): CVE-2023-5396 (CVSS v4 Base Score: 8.3) enables denial-of-service or remote code execution via specially crafted messages. Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119): CVE-2023-5394 (CVSS v4 Base Score: 8.3) in Experion servers or stations enables denial-of-service or remote code execution via specially crafted messages. Improper Handling of Length Parameter Inconsistency (CWE-130): CVE-2023-5393 (CVSS v4 Base Score: 9.2) in Experion servers or stations allows for denial-of-service or remote code execution via specially crafted messages.

CISA Shares Mitigations for Honeywell Product Vulnerabilities

CISA has advised affected Honeywell customers to immediately upgrade to the fixed versions of the software referenced in the official Security Notice. CISA additionally recommends users to take action to mitigate the risk of exploitation of the Honeywell product vulnerabilities, such as ensuring proper user privilege restrictions, minimizing network exposure or segmenting networks and remote devices behind firewalls to isolate them from enterprise networks. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Networking giant Cisco warned that a group of state-sponsored hackers exploited zero-days in its firewall appliances to spy on government networks over the last several months. Cisco in a Wednesday warning said that two zero-day vulnerabilities in Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) firewalls were exploited by a state-backed hacking group since November 2023 to infiltrate government networks globally. Identified as UAT4356 by Cisco Talos and STORM-1849 by Microsoft, the hackers initiated their cyber-espionage campaign, dubbed “ArcaneDoor,” through targeting of vulnerable edge devices in early November 2023.

“This actor utilized bespoke tooling that demonstrated a clear focus on espionage and an in-depth knowledge of the devices that they targeted, hallmarks of a sophisticated state-sponsored actor,” Cisco Talos said.

Discovery and Details of the Two Cisco Zero-Days

Despite the absence of an identified initial attack vector, Cisco detected and rectified two security flaws - CVE-2024-20353, a denial-of-service bug and CVE-2024-20359, a persistent local code execution bug - which the threat actors used as zero-days. Cisco became aware of the ArcaneDoor campaign earlier this year but said the attackers had been testing and developing exploits for the two zero-days since at least July 2023. “The investigation that followed identified additional victims, all of which involved government networks globally,” Cisco Talos added. [caption id="attachment_64982" align="aligncenter" width="997"] Cisco Zero-Days Exploitation Timeline. Credit: Cisco Talos[/caption] The exploited vulnerabilities facilitated the deployment of previously unknown malware, allowing threat actors to establish persistence on compromised ASA and FTD devices. One such malware implant dubbed “Line Dancer,” acted as an in-memory shellcode loader, enabling the execution of arbitrary shellcode payloads to disable logging, provide remote access, and exfiltrate captured packets. The second implant, a persistent backdoor known as “Line Runner,” included various defense evasion mechanisms to evade detection and enable the execution of arbitrary Lua code on compromised systems. Perimeter network devices like the ASA and FTD firewall appliances “are the perfect intrusion point for espionage-focused campaigns,” Cisco said. “Gaining a foothold on these devices allows an actor to directly pivot into an organization, reroute or modify traffic and monitor network communications.” The networking and security giant said it had observed a “dramatic and sustained” increase in the targeting of these devices in the past two years, especially those deployed in the telecommunications and energy sectors as “critical infrastructure entities are likely strategic targets of interest for many foreign governments,” Cisco explained.

What Cybersecurity Agencies Said

A joint advisory published today by the UK's National Cyber Security Centre (NCSC), the Canadian Centre for Cyber Security (Cyber Centre), and the Australian Cyber Security Centre outlined additional activity undertaken by the threat actors: - They generated text versions of the device’s configuration file for exfiltration through web requests. - They controlled the enabling and disabling of the devices syslog service to obfuscate additional commands. - They modified the authentication, authorization, and accounting (AAA) configuration to provide access to specific actor-controlled devices within the impacted environment. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) also added the zero-day bugs to its Known Exploited Vulnerabilities Catalog and encouraged users to apply the necessary updates, hunt for malicious activity, and report any positive findings to the agency. Cisco released security updates on Wednesday to address the two zero-days and recommended all customers to upgrade their devices to the fixed software version to mitigate potential attacks. Cisco asked administrators to monitor system logs for signs of unscheduled reboots, unauthorized configuration changes, or suspicious credential activity. The company also provided instructions on verifying the integrity of ASA or FTD devices in the advisory.

Espionage Actors Increasingly Using Edge Device Zero-Days

Although no attribution was made for the ArcaneDoor campaign a recent trends report from Google security firm Mandiant fingered Chinese hackers for increasingly targeting edge devices like VPN appliances, firewalls, routers, and IoT tools in espionage attacks. Mandiant observed a more than 50% growth in zero-day usage compared to 2022, both by espionage groups as well as financially motivated hackers.

“China-nexus attackers have gained access to edge devices via exploitation of vulnerabilities, particularly zero-days, and subsequently deployed custom malware ecosystems,“ Mandiant said.

The security firm added that it is likely to see continued deployment of custom malware ecosystems from Chinese espionage groups that are tailored for the device and operation at hand. “This approach provides several advantages such as the increased ability to remain undetected, reduced complexity and increased reliability, and a reduced malware footprint.“ Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.