Honeywell, an American multinational company that produces consumer and commercial products, aerospace systems, and engineering services, has patched two vulnerabilities in its Midas gas detectors.
According to an alert issued by the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), the vulnerabilities affect versions 1.13b1 and earlier of Midas, as well as 2.13b1 and earlier of Midas Black. Both affected devices test the air for toxic, flammable, and ambient gases.
“Successful exploitation of these vulnerabilities could allow a remote attacker to gain unauthenticated access to the device, potentially allowing configuration changes, as well as the initiation of calibration or test processes,” the alert reads. “Impact to individual organizations depends on many factors that are unique to each organization. NCCIC/ICS-CERT recommends that organizations evaluate the impact of these vulnerabilities based on their operational environment, architecture, and product implementation.”
The first of the two vulnerabilities affects the web server and could potentially allow an attacker to bypass the authentication process, allowing them to make unauthorized configuration changes or to initiate calibration/test processes. This bug (CVE-2015-7907) has received a CVSS v3 base score of 8.6.
The second vulnerability (CVE-2015-7908) involves a user’s password not being encrypted during transmission. A CVSS v3 base score of 9.4 has been assigned.
SC Magazine reports that while there are no known exploits in the wild, a low-skill hacker could easily exploit either of the bugs.
Honeywell recommends that customers update their Midas devices to version 1.13b3 and their Midas Black products to version 2.13b3. A link to those firmware versions is available here.
These vulnerabilities highlight the risks of using computer technology to automate important industrial processes, writes Dan Goodin of Ars Technica. There are standards in place to help mitigate these risks, most notably the NERC Critical Infrastructure Protection standards, but even these have limits to their effectiveness.
To read more about the challenges regarding Industrial Control System (ICS) security, please click here.