Honeywell Experion PKS Safety Manager (SM and FSC) through 2022-05-06 has Insufficient Verification of Data Authenticity. According to FSCT-2022-0053, there is a Honeywell Experion PKS Safety Manager insufficient logic security controls issue. The affected components are characterized as: Honeywell FSC runtime (FSC-CPU, QPP), Honeywell Safety Builder. The potential impact is: Remote Code Execution, Denial of Service. The Honeywell Experion PKS Safety Manager family of safety controllers utilize the unauthenticated Safety Builder protocol (FSCT-2022-0051) for engineering purposes, including downloading projects and control logic to the controller. Control logic is downloaded to the controller on a block-by-block basis. The logic that is downloaded consists of FLD code compiled to native machine code for the CPU module (which applies to both the Safety Manager and FSC families). Since this logic does not seem to be cryptographically authenticated, it allows an attacker capable of triggering a logic download to execute arbitrary machine code on the controller's CPU module in the context of the runtime. While the researchers could not verify this in detail, the researchers believe that the microprocessor underpinning the FSC and Safety Manager CPU modules is incapable of offering memory protection or privilege separation capabilities which would give an attacker full control of the CPU module. There is no authentication on control logic downloaded to the controller. Memory protection and privilege separation capabilities for the runtime are possibly lacking. The researchers confirmed the issues in question on Safety Manager R145.1 and R152.2 but suspect the issue affects all FSC and SM controllers and associated Safety Builder versions regardless of software or firmware revision. An attacker who can communicate with a Safety Manager controller via the Safety Builder protocol can execute arbitrary code without restrictions on the CPU module, allowing for covert manipulation of control operations and implanting capabilities similar to the TRITON malware (MITRE ATT&CK software ID S1009). A mitigating factor with regards to some, but not all, of the above functionality is that these require the Safety Manager physical keyswitch to be in the right position.
Honeywell Experion Pks Software Download
These wrapped DLL/ELF files are libraries of code blocks that are used in the Control Builder software. When the CCL files are being parsed from the Control Builder to the PKS device there are no security validations such as signature checking or sanitization of the library names, therefore, it is possible for an attacker to perform a directory traversal attack to upload any DLL/ELF file they wish to arbitrary locations on the remote controller. In some cases, CCL files that are sent to the end devices get executed instantly without performing any security checks. The protocol used for parsing files from the Control Builder software to the device does not require any form of authentication. If in place, this would prevent unauthorised users from performing download actions. Therefore, an attacker may use the library to remotely execute code without authentication by downloading a malicious DLL/ELF file to the controller using the protocol and it will be instantly executed on the device.
11 2.2.4 Applicable modules Module C200 controller C200E controller C300 controller Fieldbus Interface Module Fieldbus Interface Module 4 Fieldbus Interface Module 8 Fault Tolerant Ethernet Bridge Module (FTEB) Serial I/O Module (IOM) Legacy I/O Module (LIOM) PROFIBUS Gateway Module (PGM) SeriesC IO Module Is this patch applicable Supported controller migration paths t Applicable Verify the present version on the node To verify the present version on the node, perform the following steps. 1. Using tepad, open the ProductVersion.txt file located in the following path. \honeywell\experion PKS\ProductVersion.txt. 2. Verify the ProductVersion.txt for the following: If the following line is present, the node has the appropriate product version to install this patch. +Experion PKS R511.3 Install completed on MM/DD/YYYY HH:MM:SS te: is the location where Experion is installed. For default installations this is C:\Program Files (x86). Experion PKS R511.3 Server Patch 2/HMIWeb Patch 3 11
14 PATCH INSTALLATION 3 Patch installation ATTENTION ATTENTION Please ensure the order in which the patch is applied to each node, follows the order as documented in the below patch installation instructions. Please take note of the downloaded patch location before starting the installation steps below. 3.1 Installing the patch on Redundant Experion Server (ESV) & Redundant Server TPN Connected (ESVT) To install the patch 1. Ensure the Primary and Backup Server databases are synchronized and there is no alarm indicating that the event replication has failed before proceeding. 2. On Backup Server log in using an account that is a member of both the Windows Administrators and Product Administrators group. 3. Ensure no instances of Station, Display Builder, Configuration Studio, Quick Builder, HMIWeb Display Builder, the Diagnostic Capture Tool or Microsoft Excel are running. 4. On the Backup Server, start the Experion PKS Services Control Panel program (from Start -> Honeywell Experion Tools -> Experion PKS Services Control Panel). Once started, select Stop All services and click OK to stop all Experion services. 5. Click Exit to exit the Experion PKS Services Control Panel program. 6. Navigate to the software patch package, right click experion_wrapper.exe and choose Run as Administrator 7. Click Yes when prompt asked if you want to allow the patch to run. 8. Click OK when asked if you want to install the following update. A Command Prompt window with the text Installing patch and a few windows installer dialogs will appear. 9. Once the patch installation is finished, click Ok to close the dialog. 10. Restart the machine 11. Synchronize Primary and Backup Server databases. 12. Fail over the Primary Server to the Backup Server. 13. Repeat steps 2. to 11. on the new Backup Server. tes: 14
15 If the software patch installer reports that some programs must be closed before installing, click OK to accept this and let the installer to terminate these programs. Otherwise, click Cancel to abort installation To validate the patch installation To verify the successful installation of the patch: 1. Using tepad, open the ProductVersion.txt file located in the following path: \honeywell\experion PKS\ProductVersion.txt 2. Verify that the file contains an entry starting with: ++ Patch Experion PKS R511.3 Server Patch 2 installed on ++ Patch Experion PKS R511.3 HMIWeb Patch 3 installed on ++ Patch Experion PKS R511.3 Quick Builder Patch 1 installed on After successful installation, the files extracted for installation are no longer needed. Delete the temporary folder and its files. 3.2 Installing the patch on n-redundant Experion Server (ESV), n- Redundant Server TPN Connected (ESVT), and Application Server (EAS) To install the patch ATTENTION Installation of this patch requires the Experion Server to be stopped, therefore no view or control of the process is available during the installation. 1. Log in using an account that is a member of both the Windows Administrators and Product Administrators group. 2. Ensure no instances of Station, Display Builder, Configuration Studio, Quick Builder, HMIWeb Display Builder, the Diagnostic Capture Tool or Microsoft Excel are running. 3. Start the Experion PKS Services Control Panel program (from Start -> Honeywell Experion Tools -> Experion PKS Services Control Panel). Once started, select Stop All services and click OK to stop all Experion services. 4. Click Exit to exit the Experion PKS Services Control Panel program. 5. Navigate to the software patch package, right click experion_wrapper.exe and choose Run as Administrator 6. Click Yes when prompt asked if you want to allow the patch to run. 7. Click OK when asked if you want to install the following update. A Command Prompt window with the text Installing patch and a few windows installer dialogs will appear. Experion PKS R511.3 Server Patch 2/HMIWeb Patch 3 15
16 PATCH INSTALLATION 8. Once the patch installation is finished, click Ok to close the dialog. 9. Restart the machine tes: If the software patch installer reports that some programs must be closed before installing, click OK to accept this and let the installer to terminate these programs. Otherwise, click Cancel to abort installation To validate the patch installation To verify the successful installation of the patch: 1. Using tepad, open the ProductVersion.txt file located in the following path: \honeywell\experion PKS\ProductVersion.txt 2. Verify that the file contains an entry starting with: ++ Patch Experion PKS R511.3 Server Patch 2 installed on ++ Patch Experion PKS R511.3 HMIWeb Patch 3 installed on ++ Patch Experion PKS R511.3 Quick Builder Patch 1 installed on After successful installation, the files extracted for installation are no longer needed. Delete the temporary folder and its files. 3.3 Installing the patch on Console Station (ES-C), Console Station TPN Connected (ES-T), Console Extension Station (ES-CE), Flex Station, and Collaboration Station To install the patch 1. Log in using an account that is a member of both the Windows Administrators and Product Administrators group. 2. Ensure no instances of Station, Display Builder, Configuration Studio, Quick Builder, HMIWeb Display Builder, the Diagnostic Capture Tool or Microsoft Excel are running. 3. Start the Experion PKS Services Control Panel program (from Start -> Honeywell Experion Tools -> Experion PKS Services Control Panel). Once started, select Stop All services and click OK to stop all Experion services. 4. Click Exit to exit the Experion PKS Services Control Panel program. 5. Navigate to the software patch package, right click experion_wrapper.exe and choose Run as Administrator 6. Click Yes when prompt asked if you want to allow the patch to run. 16 2ff7e9595c
Comments