Improper access control in Honeywell International, Inc Hardware solutions

#VU21209 Improper access control in Honeywell International, Inc Hardware solutions

Published: 2019-09-19

Vulnerability identifier: #VU21209

Vulnerability risk: Medium

CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-13523

CWE-ID: CWE-284

Exploitation vector: Network

Exploit availability: No

Vendor: Honeywell International, Inc

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to the integrated web server of the affected devices allows to obtain web configuration data in JSON format for IP cameras and NVRs (Network Video Recorders). A remote attacker can gain unauthorized access to view device configuration information.

Mitigation
Contact vendor to obtain firmware update packages.

Vulnerable software versions

HEN32103L: All versions

HEN16103L: All versions

HEN08103L: All versions

HEN04103L: All versions

HEN16163: All versions

HEN16143: All versions

HEN16123: All versions

HEN16103: All versions

HEN08143: All versions

HEN08123: All versions

HEN08113: All versions

HEN08103: All versions

HEN04123: All versions

HEN04113: All versions

HEN04103: All versions

HEN643484: All versions

HEN643324: All versions

HEN643164: All versions

HEN64304: All versions

HEN64204: All versions

HEN323164: All versions

HEN32384: All versions

HEN32304: All versions

HEN322164: All versions

HEN32284: All versions

HEN32204: All versions

HEN321124: All versions

HEN32104: All versions

HEN16384: All versions

HEN16304: All versions

HEN16284: All versions

HEN162244: All versions

HEN16204: All versions

HEN16184: All versions

HEN16144: All versions

HEN16104: All versions

HEN081124: All versions

HEN08144: All versions

HEN08104: All versions

HPW2P1: All versions

H4W2PER3: All versions

HBW2PER2: All versions

H4W2PER2: All versions

HEW2PER2: All versions

HEW4PER2B: All versions

HEW4PER2: All versions

HBW2PER1: All versions

HEW4PER3B: All versions

HEW2PER3: All versions

H2W2PER3: All versions

H2W4PEr3: All versions

H2W2PC1M: All versions

HBW8PR2: All versions

H4W8PR2: All versions

HBD3PR1: All versions

H4D3PRV2: All versions

HED3PR3: All versions

H4D3PRV3: All versions

HBD3PR2: All versions

External links
http://www.us-cert.gov/ics/advisories/icsa-19-260-03
http://www.security.honeywell.com/-/media/Security/Resources/PDF/Product-Warranty/Security-Notification-May-2019-pdf.pdf?la=en-US&hash=15B712A99CD068FF0D8CB494BC96AB46E2122672

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

OpenSUSE Linux update for git

Gentoo update for Git

OpenSUSE Linux update for git

Red Hat update for git

Arch Linux update for git

Arch Linux update for libgit2

Amazon Linux AMI update for git

Information disclosure in Honeywell Performance IP Cameras and Performance NVRs