Honeywell

Honeywell ProWatch, 4.5, including all Service Pack versions, contain a Vulnerability in Application Server's executable folder(s)

CVE-2023-6179 7.8 - High - November 17, 2023

Honeywell ProWatch, 4.5, including all Service Pack versions, contain a Vulnerability in Application Server's executable folder(s). A(n) attacker could potentially exploit this vulnerability, leading to a standard user to have arbitrary system code execution. Honeywell recommends updating to the most recent version of this product, service or offering (Pro-watch 6.0.2, 6.0, 5.5.2,5.0.5).

Incorrect Permission Assignment for Critical Resource

Server information leak of configuration data when an error is generated in response to a specially crafted message

CVE-2023-25948 7.5 - High - July 13, 2023

Server information leak of configuration data when an error is generated in response to a specially crafted message. See Honeywell Security Notification for recommendations on upgrading and versioning.

Generation of Error Message Containing Sensitive Information

Experion server may experience a DoS due to a stack overflow when handling a specially crafted message.

CVE-2023-22435 7.5 - High - July 13, 2023

Experion server may experience a DoS due to a stack overflow when handling a specially crafted message.

Memory Corruption

Experion server DoS due to heap overflow occurring during the handling of a specially crafted message for a specific configuration operation

CVE-2023-23585 7.5 - High - July 13, 2023

Experion server DoS due to heap overflow occurring during the handling of a specially crafted message for a specific configuration operation.  See Honeywell Security Notification for recommendations on upgrading and versioning.

Memory Corruption

Experion server may experience a DoS due to a heap overflow

CVE-2023-24474 7.5 - High - July 13, 2023

Experion server may experience a DoS due to a heap overflow which could occur when handling a specially crafted message

Memory Corruption

Server or Console Station DoS due to heap overflow occurring during the handling of a specially crafted message for a specific configuration operation

CVE-2023-25078 7.5 - High - July 13, 2023

Server or Console Station DoS due to heap overflow occurring during the handling of a specially crafted message for a specific configuration operation.  See Honeywell Security Notification for recommendations on upgrading and versioning.

Memory Corruption

A local unprivileged attacker may escalate to administrator privileges in Honeywell SoftMaster version 4.51

CVE-2022-2332 7.8 - High - September 16, 2022

A local unprivileged attacker may escalate to administrator privileges in Honeywell SoftMaster version 4.51, due to insecure permission assignment.

Incorrect Permission Assignment for Critical Resource

If an attacker manages to trick a valid user into loading a malicious DLL

CVE-2022-2333 7.8 - High - September 16, 2022

If an attacker manages to trick a valid user into loading a malicious DLL, the attacker may be able to achieve code execution in Honeywell SoftMaster version 4.51 applications context and permissions.

DLL preloading

Saia Burgess Controls (SBC) PCD through 2022-05-06 uses a Broken or Risky Cryptographic Algorithm

CVE-2022-30320 4.3 - Medium - July 28, 2022

Saia Burgess Controls (SBC) PCD through 2022-05-06 uses a Broken or Risky Cryptographic Algorithm. According to FSCT-2022-0063, there is a Saia Burgess Controls (SBC) PCD S-Bus weak credential hashing scheme issue. The affected components are characterized as: S-Bus (5050/UDP) authentication. The potential impact is: Authentication bypass. The Saia Burgess Controls (SBC) PCD controllers utilize the S-Bus protocol (5050/UDP) for a variety of engineering purposes. It is possible to configure a password in order to restrict access to sensitive engineering functionality. Authentication is done by using the S-Bus 'write byte' message to a specific address and supplying a hashed version of the password. The hashing algorithm used is based on CRC-16 and as such not cryptographically secure. An insecure hashing algorithm is used. An attacker capable of passively observing traffic can intercept the hashed credentials and trivially find collisions allowing for authentication without having to bruteforce a keyspace defined by the actual strength of the password. This allows the attacker access to sensitive engineering functionality such as uploading/downloading control logic and manipulating controller configuration.

Use of a Broken or Risky Cryptographic Algorithm

Saia Burgess Controls (SBC) PCD through 2022-05-06 allows Authentication bypass

CVE-2022-30319 8.1 - High - July 28, 2022

Saia Burgess Controls (SBC) PCD through 2022-05-06 allows Authentication bypass. According to FSCT-2022-0062, there is a Saia Burgess Controls (SBC) PCD S-Bus authentication bypass issue. The affected components are characterized as: S-Bus (5050/UDP) authentication. The potential impact is: Authentication bypass. The Saia Burgess Controls (SBC) PCD controllers utilize the S-Bus protocol (5050/UDP) for a variety of engineering purposes. It is possible to configure a password in order to restrict access to sensitive engineering functionality. Authentication functions on the basis of a MAC/IP whitelist with inactivity timeout to which an authenticated client's MAC/IP is stored. UDP traffic can be spoofed to bypass the whitelist-based access control. Since UDP is stateless, an attacker capable of passively observing traffic can spoof arbitrary messages using the MAC/IP of an authenticated client. This allows the attacker access to sensitive engineering functionality such as uploading/downloading control logic and manipulating controller configuration.

Authentication Bypass by Spoofing

Honeywell Alerton Compass Software 1.6.5 allows unauthenticated configuration changes from remote users

CVE-2022-30245 6.5 - Medium - July 15, 2022

Honeywell Alerton Compass Software 1.6.5 allows unauthenticated configuration changes from remote users. This enables configuration data to be stored on the controller and then implemented. A user with malicious intent can send a crafted packet to change the controller configuration without the knowledge of other users, altering the controller's function capabilities. The changed configuration is not updated in the User Interface, which creates an inconsistency between the configuration display and the actual configuration on the controller. After the configuration change, remediation requires reverting to the correct configuration, requiring either physical or remote access depending on the configuration that was altered.

Externally Controlled Reference to a Resource in Another Sphere

Matrikon, a subsidary of Honeywell Matrikon OPC Server (all versions) is vulnerable to a condition where a low privileged user

CVE-2022-1261 8.8 - High - May 26, 2022

Matrikon, a subsidary of Honeywell Matrikon OPC Server (all versions) is vulnerable to a condition where a low privileged user allowed to connect to the OPC server to use the functions of the IPersisFile to execute operating system processes with system-level privileges.

Honeywell Notifier Web Server (NWS) Version 3.50 is vulnerable to a path traversal attack, which

CVE-2020-6974 9.8 - Critical - April 07, 2020

Honeywell Notifier Web Server (NWS) Version 3.50 is vulnerable to a path traversal attack, which allows an attacker to bypass access to restricted directories. Honeywell has released a firmware update to address the problem.

Directory traversal

In Honeywell WIN-PAK 4.7.2, Web and prior versions, the header injection vulnerability has been identified, which may

CVE-2020-6982 8.8 - High - March 24, 2020

In Honeywell WIN-PAK 4.7.2, Web and prior versions, the header injection vulnerability has been identified, which may allow remote code execution.

Injection

In Honeywell WIN-PAK 4.7.2

CVE-2020-6978 7.2 - High - March 24, 2020

In Honeywell WIN-PAK 4.7.2, Web and prior versions, the affected product is vulnerable due to the usage of old jQuery libraries.

In Honeywell WIN-PAK 4.7.2, Web and prior versions, the affected product is vulnerable to a cross-site request forgery, which may

CVE-2020-7005 8.8 - High - March 24, 2020

In Honeywell WIN-PAK 4.7.2, Web and prior versions, the affected product is vulnerable to a cross-site request forgery, which may allow an attacker to remotely execute arbitrary code.

Session Riding

In Notifier Web Server (NWS) Version 3.50 and earlier, the Honeywell Fire Web Servers authentication may be bypassed by a capture-replay attack

CVE-2020-6972 9.1 - Critical - March 24, 2020

In Notifier Web Server (NWS) Version 3.50 and earlier, the Honeywell Fire Web Servers authentication may be bypassed by a capture-replay attack from a web browser.

Authentication Bypass by Capture-replay

Honeywell MatrikonOPC OPC Controller before 5.1.0.0

CVE-2018-8714 6.1 - Medium - May 17, 2018

Honeywell MatrikonOPC OPC Controller before 5.1.0.0 allows local users to transfer arbitrary files from a host computer and consequently obtain sensitive information via vectors related to MSXML libraries.

Information Disclosure

Stack-based buffer overflow in the HMIWeb Browser HSCDSPRenderDLL ActiveX control in Honeywell Process Solutions (HPS) Experion R2xx, R30x, R31x, and R400.x; Honeywell Building Solutions (HBS) Enterprise Building Manager R400 and R410.1; and Honeywell Environmental Combustion and Controls (ECC) SymmetrE R410.1

CVE-2012-0254 - September 08, 2012

Stack-based buffer overflow in the HMIWeb Browser HSCDSPRenderDLL ActiveX control in Honeywell Process Solutions (HPS) Experion R2xx, R30x, R31x, and R400.x; Honeywell Building Solutions (HBS) Enterprise Building Manager R400 and R410.1; and Honeywell Environmental Combustion and Controls (ECC) SymmetrE R410.1 allows remote attackers to execute arbitrary code via unspecified vectors.

Memory Corruption

Buffer overflow in the BaseRunner ActiveX control in the Ademco ATNBaseLoader100 Module (ATNBaseLoader100.dll) 5.4.0.6, when Internet Explorer 6 is used

CVE-2007-2938 - May 31, 2007

Buffer overflow in the BaseRunner ActiveX control in the Ademco ATNBaseLoader100 Module (ATNBaseLoader100.dll) 5.4.0.6, when Internet Explorer 6 is used, allows remote attackers to execute arbitrary code via a long argument to the (1) Send485CMD method, and possibly the (2) SetLoginID, (3) AddSite, (4) SetScreen, and (5) SetVideoServer methods.