1 Advisory Published – 1-21-20

Today the CISA NCCIC-ICS published a control system security advisory for products from Honeywell.

Honeywell Advisory

This advisory describes two vulnerabilities in the Honeywell MAXPRO VMS and NVR video management systems. The vulnerabilities were reported by Joachim Kerschbaumer. Honeywell has updates that mitigate the vulnerabilities. There is no indication that Kerschbaumer has been provided an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

• Deserialization of untrusted data - CVE-2020-6959; and

• SQL injection - CVE-2020-6960

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to allow elevation of privileges, cause a denial-of-service condition, or allow unauthenticated remote code execution.