Honeywell: Critical controller gaps allow access to the process control system

The Experion PKS (Process Knowledge System) process control system for use in industrial production plants can be attacked remotely, warns the US agency CISA. The warning is due to three vulnerabilities in the Controller models C200, C200E, C300 and ACE (“Application Control Environment”). Two of the weak points are considered critical (CVSS scores 9.1 and 10.0 out of a possible 10), while the third is said to be at high risk (7.5 out of 10).

For the C300 controller, the manufacturer Honeywell has released a patch combination of server software and controller firmware; Users of the other models must fall back on general protection mechanisms, which are explained in advisories from CISA and Honeywell. Attacks on the vulnerabilities in the wild have not yet been observed.

As can be seen from the publications by CISA and Honeywell, at least one of the vulnerabilities, CVE-2021-38397 with the highest CVSS score, is based on the manipulability of Control Component Libraries (CCL), which provide certain control functions. These could be modified by attackers and loaded onto the affected controller models in this changed form – apparently due to the lack of or inadequate use of digital signatures.

Subsequently, the execution of any program code remotely is conceivable, which means that denial-of-service states can also be triggered. An exploit of the second critical vulnerability (CVE-2021-38395) could have the same consequences. Honeywell names a few standard CCLs in its advisory and points out that it is irrelevant for attacks whether these libraries are usually used by the respective system or not.

According to CISA, the security vulnerability CVE-2021-38399 with a “high” setting is based on so-called path traversal, which allows unauthorized access to files and directories. All three gaps can be exploited remotely – depending on the network structure, configurations and existing protective mechanisms, of course. Further details of security vulnerabilities, an update overview for C300 controllers and general recommendations for action to protect the respective infrastructure can be found in the advisories:


To home page