Full Report
Exposed session token in Honeywell ControlEdge PLC and RTU.
Analysis Summary
# Vulnerability: Session Token Exposure in Honeywell ControlEdge PLC and RTU
## CVE Details
- **CVE ID:** CVE-2020-10624
- **CVSS Score:** 5.9 (Medium) *(Note: While the article text mentions 0.0, the provided vector string AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N calculates to 5.9)*
- **CWE:** CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) / CWE-384 (Session Fixation/Hijacking)
## Affected Systems
- **Products:** Honeywell ControlEdge PLC and ControlEdge RTU
- **Versions:**
- **PLC:** R130.2, R140, R150, and R151
- **RTU:** R101, R110, R140, R150, and R151
- **Configurations:** Systems utilizing insecure communication protocols or default session management settings.
## Vulnerability Description
The vulnerability arises from the exposure of session tokens within the communication between the user and the Honeywell ControlEdge PLC/RTU devices. Because these tokens are not sufficiently protected during transmission or lifecycle management, an attacker capable of intercepting network traffic can obtain the token and use it to hijack a legitimate user's session.
## Exploitation
- **Status:** Unknown (No known public exploits reported at time of advisory)
- **Complexity:** High (Requires the ability to intercept/monitor network traffic between the client and the controller)
- **Attack Vector:** Network
## Impact
- **Confidentiality:** High (Session tokens are exposed, potentially leading to unauthorized access to sensitive device data)
- **Integrity:** None (The vulnerability itself is an information disclosure, though it can lead to integrity issues if the session is used to modify settings)
- **Availability:** None
## Remediation
### Patches
- Honeywell released patches in June 2020. Users should update to versions newer than R151 or apply the security hotfixes specifically addressing insecure communication.
### Workarounds
- Honeywell issued a security notification (SN2020-04-17-01-ControlEdge-PLC-and-RTU-Secure-Communication).
- Users are advised to log into the Honeywell support portal to access specific step-by-step mitigation instructions for hardening ControlEdge communications.
## Detection
- **Indicators of Compromise:** Unusual administrative activity originating from unexpected IP addresses; multiple concurrent sessions using the same token.
- **Detection Methods and Tools:**
- Monitor network traffic for unencrypted transmission of session identifiers.
- Audit PLC/RTU access logs for session anomalies.
- Use ICS-aware Deep Packet Inspection (DPI) to identify insecure communication patterns.
## References
- **Vendor Advisory:** hxxps[://]process[.]honeywell[.]com/ (Search for SN2020-04-17-01)
- **Kaspersky ICS CERT:** hxxps[://]ics-cert[.]kaspersky[.]com/advisories/2020/06/23/klcert-20-014-session-token-exposed-in-honeywell-controledge-plc-and-rtu/
- **NVD:** hxxps[://]nvd[.]nist[.]gov/vuln/detail/CVE-2020-10624