PatchSiren cyber security CVE debrief

CVE-2023-5393 Honeywell CVE debrief

A critical vulnerability in Honeywell's Experion PKS, Experion LX, PlantCruise by Experion, Safety Manager, and Safety Manager SC industrial control systems allows remote attackers to execute arbitrary code or cause denial-of-service conditions. The vulnerability, published on April 25, 2024, affects 16 distinct product versions across Honeywell's distributed control system (DCS) and safety instrumented system (SIS) product lines. Successful exploitation requires network access to Experion Servers or Stations and specially crafted messages. The CVSS 3.1 score of 8.1 (High) reflects significant confidentiality, integrity, and availability impacts with network attack vector but high attack complexity. Honeywell has released security updates and advises immediate patching to remediated versions.

Vendor: Honeywell
Product: Experion PKS
CVSS: HIGH 8.1
CISA KEV: Not listed in stored evidence
Original CVE published: 2024-04-25
Original CVE updated: 2024-04-25
Advisory published: 2024-04-25
Advisory updated: 2024-04-25

Who should care

Organizations operating Honeywell Experion distributed control systems or Safety Manager safety instrumented systems in critical infrastructure sectors including oil and gas, chemicals, power generation, pharmaceuticals, and manufacturing. OT security teams, control system engineers, and plant reliability personnel responsible for maintaining safe and secure operations of process control environments.

Technical summary

CVE-2023-5393 is a network-accessible vulnerability in Honeywell's Experion distributed control system and Safety Manager safety instrumented system product lines. The vulnerability exists in message handling routines on Experion Servers and Stations, where specially crafted network messages can trigger memory corruption leading to either denial-of-service conditions or remote code execution. The attack requires network connectivity to target systems but no authentication or user interaction. Sixteen product configurations are affected across five product families: Experion PKS (4 version ranges), Experion LX (3 version ranges), PlantCruise by Experion (3 version ranges), Safety Manager (2 version ranges including R15x and R16x through R162.10), and Safety Manager SC (4 specific releases R210.X through R212.1). The CVSS 3.1 score of 8.1 reflects High severity with network attack vector, high attack complexity, no privileges required, and High impacts to confidentiality, integrity, and availability. Honeywell has addressed the vulnerability through security updates released under Security Notice SN2024, with specific patch levels varying by product line and release train.

Defensive priority

critical

Recommended defensive actions

Apply Honeywell security updates to patched versions per Security Notice SN2024: Experion PKS R510.2 HF14 or later, R511.5 TCU4 HF4 or later, R520.1 TCU5 or later, R520.2 TCU4 HF2 or later; Experion LX R511.5 TCU4 HF4 or
later, R520.1 TCU5 or later, R520.2 TCU4 HF2 or later; PlantCruise by Experion R511.5 TCU4 HF4 or later, R520.1 TCU5 or later, R520.2 TCU4 HF2 or later; Safety Manager versions beyond R162.10; Safety Manager SC versions
beyond R212.1.
Segment Experion Servers and Stations from untrusted networks using industrial firewalls and VLANs.
Monitor network traffic for anomalous messaging patterns targeting Experion systems.
Review and restrict remote access to Experion infrastructure per CISA ICS recommended practices.
Validate backup and recovery procedures for safety-critical Safety Manager configurations before applying updates.

Evidence notes

CVE published and modified 2024-04-25 per CISA CSAF advisory ICSA-24-116-04. Affects 16 product configurations across 5 product families. CVSS 3.1 vector: AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H. No KEV listing as of publication.

Official resources

2024-04-25