Full Report
Unencrypted password transmission on the network in Honeywell ControlEdge PLC and RTU.
Analysis Summary
# Vulnerability: Unencrypted Password Transmission in Honeywell ControlEdge PLC and RTU
## CVE Details
- CVE ID: CVE-2020-10628
- CVSS Score: 7.5 (High) - *Note: The provided CVSS vector results in 7.5 ([AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N] based on the implied impact of unencrypted transmission, though the document listed an atypical 0.0 score with the vector **CVSS:3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N** which calculates to 3.1 (Low/Medium). Based on the impact (Confidentiality High), a standard interpretation of unencrypted transmission points to a higher risk, however, we will stick to the provided vector's numerical calculation: **3.1 (Low)**.*
- CWE: Not explicitly listed, related to insecure communication/transmission of sensitive data.
## Affected Systems
- Products: Honeywell ControlEdge PLC and Honeywell ControlEdge RTU
- Versions:
- PLC Versions: R130.2, R140, R150, and R151
- RTU Versions: R101, R110, R140, R150, and R151
- Configurations: Any configuration where network communication is not secured.
## Vulnerability Description
The vulnerability stems from the transmission of passwords unencrypted over the network when communicating with the affected Honeywell ControlEdge PLC and RTU devices. This exposure allows attackers to intercept and capture sensitive authentication credentials.
## Exploitation
- Status: Existence of exploit is Unknown
- Complexity: Low (Per the document, Attack Complexity is Low)
- Attack Vector: Network
## Impact
- Confidentiality: High (Passwords can be exposed)
- Integrity: No impact stated (I:N)
- Availability: No impact stated (A:N)
## Remediation
### Patches
- Vendor released patches in June 2020. Specific patch versions are not detailed here, but it is implied that updating to a vendor-released version after June 2020 resolves the issue.
### Workarounds
- Vendor mitigation requires accessing the support document **SN2020-04-17-01-ConotrolEdge-PLC-and-RTU-Secure-Communication**. Users must be logged into the Honeywell support portal to access the document and follow step-by-step instructions for securing communication.
## Detection
- Indicators of compromise: Unauthorized network traffic analysis revealing cleartext password exchanges between clients and the PLC/RTU.
- Detection methods and tools: Network traffic monitoring and deep packet inspection tools configured to watch for proprietary protocols exchanging credentials without TLS/SSL encryption.
## References
- Vendor Advisories: Honeywell support document **SN2020-04-17-01-ConotrolEdge-PLC-and-RTU-Secure-Communication** (Login required)
- Relevant links: hxxps://ics-cert.kaspersky.com/advisories/2020/06/23/klcert-20-013-unencypted-password-transmission-in-honeywell-controledge-plc-and-rtu/