Yesterday the DHS ICS-CERT published a control system advisory for multiple vulnerabilities in the Honeywell XL Web II controller application (also sold as Falcon web controller by Centraline). The vulnerabilities were reported by Maxim Rupp. Honey well has produced a new version to mitigate the vulnerability. There is no indication that Rupp has been provided an opportunity to verify the efficacy of the fix.
The reported vulnerabilities are:
• Plaintext storage of passwords - CVE-2017-5139;
• Insufficiently protected credentials - CVE-2017-5140;
• Session fixation - CVE-2017-5141;
• Improper privilege management - CVE-2017-5142; and
• Path traversal - CVE-2017-5143
ICS-CERT reports that a relatively low skilled attacker could remotely exploit this vulnerability to allow the attacker an entry point into the network where it is located.
NOTE: For some reason this advisory was published in the old format. While not a serious issue, the lack of internal controls on the format issue may be an indicator of some management issues.