Critical Security Flaws Uncovered in Honeywell Experion DCS and QuickBlox Services
15.7.23 Vulnerebility The Hacker News
Multiple security vulnerabilities have been discovered in various services, including Honeywell Experion distributed control system (DCS) and QuickBlox, that, if successfully exploited, could result in severe compromise of affected systems.
Dubbed Crit.IX, the nine flaws in the Honeywell Experion DCS platform allow for "unauthorized remote code execution, which means an attacker would have the power to take over the devices and alter the operation of the DCS controller, whilst also hiding the alterations from the engineering workstation that manages the controller," Armis said in a statement shared with The Hacker News.
Put differently, the issues relate to lack of encryption and adequate authentication mechanisms in a proprietary protocol called Control Data Access (CDA) that's used to communicate between Experion Servers and C300 controllers, effectively enabling a threat actor to take over the devices and alter the operation of the DCS controller.
"As a result, anyone with access to the network is able to impersonate both the controller and the server," Tom Gol, CTO for research at Armis, said. " In addition, there are design flaws in the CDA protocol which make it hard to control the boundaries of the data and can lead to buffer overflows."
The U.S. Cybersecurity and Infrastructure Security Agency (CISA), in an advisory of its own, said seven of the nine flaws carry a CVSS score of 9.8 out 10, while the two others have a severity rating of 7.5. "Successful exploitation of these vulnerabilities could cause a denial-of-service condition, allow privilege escalation or allow remote code execution," it warned.
In a related development, Check Point and Claroty uncovered major flaws in a chat and video calling platform known as QuickBlox that's widely used in telemedicine, finance, and smart IoT devices. The vulnerabilities could allow attackers to leak the user database from many popular applications that incorporate QuickBlox SDK and API.
This includes Rozcom, an Israeli vendor that sells intercoms for residential and commercial use cases. A closer examination of its mobile app led to the discovery of additional bugs (CVE-2023-31184 and CVE-2023-31185) that made it possible to download all user databases, impersonate any user, and perform full account takeover attacks.
"As a result, we were able to take over all Rozcom intercom devices, giving us full control and allowing us to access device cameras and microphones, wiretap into its feed, open doors managed by the devices, and more," the researchers said.
Also disclosed this week are remote code execution flaws impacting Aerohive/Extreme Networks access points running HiveOS/Extreme IQ Engine versions before 10.6r2 and the open-source Ghostscript library (CVE-2023-36664, CVSS score: 9.8) that could result in the execution of arbitrary commands.
"Ghostscript is a widely used but not necessarily widely known package," Kroll researcher Dave Truman said. "It can be executed in many different ways, from opening a file in a vector image editor such as Inkscape to printing a file via CUPS. This means that an exploitation of a vulnerability in Ghostscript might not be limited to one application or be immediately obvious."
Security shortcomings have also been made public in two Golang-based open-source platforms Owncast (CVE-2023-3188, CVSS score: 6.5) and EaseProbe (CVE-2023-33967, CVSS score: 9.8) that could pave the way for Server-Side Request Forgery (SSRF) and SQL injection attacks, respectively.
Rounding off the list is the discovery of hard-coded credentials in Technicolor TG670 DSL gateway routers that could be weaponized by an authenticated user to gain full administrative control of the devices.
"A remote attacker can use the default username and password to login as the administrator to the router device," CERT/CC said in an advisory. "This allows the attacker to modify any of the administrative settings of the router and use it in unexpected ways."
Users are advised to disable remote administration on their devices to prevent potential exploitation attempts and check with the service providers to determine if appropriate patches and updates are available.