Late this afternoon the DHS ICS-CERT published an advisory for an ActiveX vulnerability for the Honeywell Enterprise Buildings Integrator (EBI). The vulnerability was reported by Juan Vazquez of Rapid7 in a coordinated disclosure.
ICS-CERT reports that a moderately skilled attacker using a social engineering attack could remotely exploit this vulnerability to execute arbitrary code on the system. ICS-CERT maintains that the need to use a social engineering attack vector “decreases the likelihood of a successful exploit” (pg 3). Recent reports on the success rates for social engineering attacks don’t seem to support that assertion.
Honeywell recommends that the HscRemoteDeploy.dll be disabled on “any client or server computers on affected systems”. They have an update package that accomplishes this, but recommend that it be only run by a “qualified, trained resource”. Honeywell has also asked Microsoft to “issue a kill bit for the HscRemoteDeploy.dll in a future monthly Microsoft Windows security update”. This will disable the DLL on any machines running the automated Windows update.
No Public Exploit Code, Yet
The advisory reports that there is no known exploit code publicly available at this time. It also notes that Rapid7 plans on releasing a Metasploit module for this vulnerability next month. This continues a trend upon which I have recently reported that white hat researchers are publishing exploit code even on coordinated disclosure vulnerabilities. Rapid 7 is more forgiving in their publication process than is Exodus Intelligence since they are giving owners a reasonable chance to install their system updates before the exploit code is published. It would be even more forgiving if they held off their publication until Microsoft publishes the DLL kill bit in their Windows update.