Honeywell, CISA warn of ‘Crit.IX’ vulnerabilities affecting manufacturing tools

Operational technology giant Honeywell joined the Cybersecurity and Infrastructure Security Agency (CISA) Thursday in warning of several serious vulnerabilities affecting a line of industrial control tools used widely within the manufacturing industry.

Armis Security told Recorded Future News that it discovered nine vulnerabilities earlier this year within products from Honeywell’s Experion Distributed Control System platforms. DCS platforms are digital automated industrial control systems that operate throughout factories, including power plants, chemical plants, automotive manufacturing and agricultural production.

They explained that the vulnerabilities – dubbed “Crit.IX” – allows for unauthorized remote code execution, which means an attacker would have the power to take over the devices and alter the operation of the DCS controller while also hiding the alterations from the engineering workstation that manages the controller.

Both legacy versions of the Honeywell servers and controllers are affected, according to Armis.

“Potentially any compromised IT, IoT, and OT assets on the same network as the DCS devices could be leveraged for an attack. This could result in anything from production stalls, to full-on sabotage and even acts of cyber warfare,” an Armis spokesperson said.

A Honeywell spokesperson confirmed that the bugs were found by Armis and said it investigated the vulnerabilities before issuing cybersecurity “hotfixes” starting in April.

“A customer notification was issued and customers were recommended to update their systems with the latest security hotfixes. There are no known exploits of this vulnerability at this time,” the Honeywell spokesperson said.

“In addition, an attacker would need to have access to the process control network, which is typically segregated from all other IT systems as a best practice, in order to be able to exploit the vulnerabilities. Experion owners should continue to isolate and monitor their process control network and apply available patches as soon as possible.”

Armis said it worked with Honeywell on the patches and said customers have already been notified about the issue.

CISA published its own advisory about the issue on Thursday, urging customers to apply the patches issued by Honeywell.

CISA said 7 of the 9 vulnerabilities carry CVSS scores of 9.8 out of 10, signifying a critical level of severity.

“Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents,” CISA said.

“No known public exploits specifically target these vulnerabilities. These vulnerabilities are exploitable remotely. These vulnerabilities have a low attack complexity.”