Headline
Critical Security Flaws Uncovered in Honeywell Experion DCS and QuickBlox Services
Multiple security vulnerabilities have been discovered in various services, including Honeywell Experion distributed control system (DCS) and QuickBlox, that, if successfully exploited, could result in severe compromise of affected systems. Dubbed Crit.IX, the nine flaws in the Honeywell Experion DCS platform allow for "unauthorized remote code execution, which means an attacker would have
Vulnerability/ Cyber Threat
Multiple security vulnerabilities have been discovered in various services, including Honeywell Experion distributed control system (DCS) and QuickBlox, that, if successfully exploited, could result in severe compromise of affected systems.
Dubbed Crit.IX, the nine flaws in the Honeywell Experion DCS platform allow for “unauthorized remote code execution, which means an attacker would have the power to take over the devices and alter the operation of the DCS controller, whilst also hiding the alterations from the engineering workstation that manages the controller,” Armis said in a statement shared with The Hacker News.
Put differently, the issues relate to lack of encryption and adequate authentication mechanisms in a proprietary protocol called Control Data Access (CDA) that’s used to communicate between Experion Servers and C300 controllers, effectively enabling a threat actor to take over the devices and alter the operation of the DCS controller.
“As a result, anyone with access to the network is able to impersonate both the controller and the server,” Tom Gol, CTO for research at Armis, said. " In addition, there are design flaws in the CDA protocol which make it hard to control the boundaries of the data and can lead to buffer overflows."
In a related development, Check Point and Claroty uncovered major flaws in a chat and video calling platform known as QuickBlox that’s widely used in telemedicine, finance, and smart IoT devices. The vulnerabilities could allow attackers to leak the user database from many popular applications that incorporate QuickBlox SDK and API.
This includes Rozcom, an Israeli vendor that sells intercoms for residential and commercial use cases. A closer examination of its mobile app led to the discovery of additional bugs (CVE-2023-31184 and CVE-2023-31185) that made it possible to download all user databases, impersonate any user, and perform full account takeover attacks.
“As a result, we were able to take over all Rozcom intercom devices, giving us full control and allowing us to access device cameras and microphones, wiretap into its feed, open doors managed by the devices, and more,” the researchers said.
Also disclosed this week are remote code execution flaws impacting Aerohive/Extreme Networks access points running HiveOS/Extreme IQ Engine versions before 10.6r2 and the open-source Ghostscript library (CVE-2023-36664, CVSS score: 9.8) that could result in the execution of arbitrary commands.
UPCOMING WEBINAR
Shield Against Insider Threats: Master SaaS Security Posture Management
Worried about insider threats? We’ve got you covered! Join this webinar to explore practical strategies and the secrets of proactive security with SaaS Security Posture Management.
Join Today
“Ghostscript is a widely used but not necessarily widely known package,” Kroll researcher Dave Truman said. “It can be executed in many different ways, from opening a file in a vector image editor such as Inkscape to printing a file via CUPS. This means that an exploitation of a vulnerability in Ghostscript might not be limited to one application or be immediately obvious.”
Rounding off the list is the discovery of hard-coded credentials in Technicolor TG670 DSL gateway routers that could be weaponized by an authenticated user to gain full administrative control of the devices.
“A remote attacker can use the default username and password to login as the administrator to the router device,” CERT/CC said in an advisory. “This allows the attacker to modify any of the administrative settings of the router and use it in unexpected ways.”
Users are advised to disable remote administration on their devices to prevent potential exploitation attempts and check with the service providers to determine if appropriate patches and updates are available.
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
Related news
An issue was discovered in the function gdev_prn_open_printer_seekable() in Artifex Ghostscript through 10.02.0 allows remote attackers to crash the application via a dangling pointer.
Gentoo Linux Security Advisory 202309-3 - Multiple vulnerabilities have been discovered in GPL Ghostscript, the worst of which could result in remote code execution. Versions greater than or equal to 10.01.2 are affected.
Ubuntu Security Notice 6213-1 - It was discovered that Ghostscript incorrectly handled pipe devices. If a user or automated system were tricked into opening a specially crafted PDF file, a remote attacker could use this issue to execute arbitrary code.
Debian Linux Security Advisory 5446-1 - It was discovered that Ghostscript, the GPL PostScript/PDF interpreter, does not properly handle permission validation for pipe devices, which could result in the execution of arbitrary commands if malformed document files are processed.
Artifex Ghostscript through 10.01.2 mishandles permission validation for pipe devices (with the %pipe% prefix or the | pipe character prefix).
Xibo is a content management system (CMS). An SQL injection vulnerability was discovered in the `/dataset/data/{id}` API route inside the CMS starting in version 1.4.0 and prior to versions 2.3.17 and 3.3.5. This allows an authenticated user to exfiltrate data from the Xibo database by injecting specially crafted values in to the `filter` parameter. Values allowed in the filter parameter are checked against a deny list of commands that should not be allowed, however this checking was done in a case sensitive manor and so it is possible to bypass these checks by using unusual case combinations. Users should upgrade to version 2.3.17 or 3.3.5, which fix this issue. There are no workarounds aside from upgrading.
Xibo is a content management system (CMS). An SQL injection vulnerability was discovered in the `/dataset/data/{id}` API route inside the CMS starting in version 1.4.0 and prior to versions 2.3.17 and 3.3.5. This allows an authenticated user to exfiltrate data from the Xibo database by injecting specially crafted values in to the `filter` parameter. Values allowed in the filter parameter are checked against a deny list of commands that should not be allowed, however this checking was done in a case sensitive manor and so it is possible to bypass these checks by using unusual case combinations. Users should upgrade to version 2.3.17 or 3.3.5, which fix this issue. There are no workarounds aside from upgrading.