Uncovering Critical Vulnerabilities in Honeywell Experion® Platforms for Distributed Control Systems

In recent years, there has been a noticeable rise in attacks directed towards Operational Technology (OT) targets. This trend highlights the growing risks encountered by critical infrastructure systems, as both cyber criminals and nation state actors have come to recognize the immense value in targeting such systems. Security experts at the Armis Research Labs, discovered 9 vulnerabilities in Honeywell’s Experion® platforms for distributed control systems (DCS) which are widely used in a variety of industries, from agriculture and water management to pharmaceuticals and nuclear plants. Seven of the vulnerabilities are critical and allow remote code execution. Exploiting these vulnerabilities can lead to anything from DoS and ransom demand to destruction of equipment and danger to its surroundings. The vulnerabilities were found in Honeywell’s proprietary CDA protocol and the vendor’s implementation of the CDA Data Client Named Access protocol. Since the discovery of the vulnerabilities Armis and Honeywell have been working together to carefully uncover their impact radius and provide ongoing mitigations.

What We Found in Crit.IX

Researchers at Armis Research Labs revealed weak points in the CDA protocol – a proprietary protocol designed by Honeywell and used to communicate between Honeywell Experion® server and C300 controller. This protocol lacks encryption and proper authentication mechanisms, which allows anyone with an access to the network to impersonate both controller and the server. In addition, there are design flaws in the CDA protocol which make it hard to control the boundaries of the data and lead to buffer overflows.

Honeywell also implements a CDA Data Client Named Access protocol on the Experion Server, which is used to communicate between Honeywell Experion® server and Experion® applications allowing for tag name access by these applications. Honeywell’s implementation of this protocol was found to contain 4 vulnerabilities, most of which allow remote code execution (RCE) on the Experion® Server.

Download the white paper to learn more about the vulnerabilities.