Late this afternoon the DHS ICS-CERT published an advisory
for an ActiveX vulnerability for the Honeywell Enterprise Buildings Integrator
(EBI). The vulnerability was reported by Juan Vazquez of Rapid7 in a
coordinated disclosure.
The Advisory
ICS-CERT reports that a moderately skilled attacker using a
social engineering attack could remotely exploit this vulnerability to execute
arbitrary code on the system. ICS-CERT maintains that the need to use a social
engineering attack vector “decreases the likelihood of a successful exploit”
(pg 3). Recent
reports on the success rates for social engineering attacks don’t seem to
support that assertion.
Honeywell recommends that the HscRemoteDeploy.dll be
disabled on “any client or server computers on
affected systems”. They have an update package that accomplishes this, but
recommend that it be only run by a “qualified, trained resource”. Honeywell has
also asked Microsoft to “issue a kill bit for the HscRemoteDeploy.dll in a
future monthly Microsoft Windows security update”. This will disable the DLL on
any machines running the automated Windows update.
No Public Exploit Code, Yet
The advisory reports that there is no known exploit code
publicly available at this time. It also notes that Rapid7 plans on releasing a
Metasploit module for this vulnerability next month. This continues a trend
upon which I have recently reported that white hat researchers are publishing
exploit code even on coordinated disclosure vulnerabilities. Rapid 7 is more
forgiving in their publication process than is Exodus Intelligence since they
are giving owners a reasonable chance to install their system updates before
the exploit code is published. It would be even more forgiving if they held off
their publication until Microsoft publishes the DLL kill bit in their Windows
update.
Posts
No comments:
Post a Comment