Authorities and security researchers are warning about critical vulnerabilities in Honeywell and Rockwell Automation products, as the industrial tools could open up risk of remote takeover by hackers and lead to potentially destructive attacks.
The disclosures come at a time of heightened threat activity against critical infrastructure providers amid increased tensions from rogue nation-state and criminal actors.
Federal authorities notified Rockwell about a novel exploit capability linked to advanced persistent threat actors using vulnerabilities in the company’s ControlLogix Ethernet/IP communication modules.
One vulnerability, listed as CVE-2023-3595 with a severity rating of 9.8, could allow an attacker to remotely take over a system using specially crafted messages and modify, block or steal data passing through a system, according to the Cybersecurity and Infrastructure Security Agency.
A related vulnerability, listed as CVE-2023-3596 with a severity rating of 7.5, could allow a denial of service condition, using specially crafted messages.
The devices are used in many industrial settings, including electric, oil and gas, liquefied natural gas and manufacturing, according to Dragos, which worked with federal officials to analyze the vulnerabilities.
Dragos researchers compare the risk to the 2017 Trisis malware attacks, which targeted industrial safety systems at a victim in the Middle East. Researchers are urging organizations using the modules to upgrade to the latest firmware as soon as possible.
Rockwell Automation said it has worked closely with government officials to respond to the vulnerabilities. The company has not been told of any active exploitation from the vulnerability, according to a spokesperson.
Armis researchers are warning about critical vulnerabilities in Honeywell Experion DCS platforms. The so-called Crit.IX vulnerabilities could allow an attacker to take remote control and leverage any compromised IT, IoT or OT assets, resulting in stalled production, sabotage of a facility or use in some type of attack.
CISA officials said the vulnerabilities are not only exploitable remotely, but have a low attack complexity.
After Armis notified the company, Honeywell said it investigated the matter then began issuing hotfixes starting in April and notifying customers. The company is not aware of any exploitation, according to a spokesperson.
“In addition, an attacker would need to have access to the process control network, which is typically segregated from all other IT systems as a best practice, in order to be able to exploit the vulnerabilities,” Honeywell said via email.