PatchSiren cyber security CVE debrief

CVE-2023-5398 Honeywell CVE debrief

CVE-2023-5398 is a medium-severity vulnerability affecting multiple Honeywell industrial control system products, including Experion PKS, Experion LX, PlantCruise by Experion, Safety Manager, and Safety Manager SC. Published on April 25, 2024, this vulnerability allows an unauthenticated attacker to cause a denial-of-service condition on Experion Servers or Stations by sending specially crafted network messages. The CVSS 3.1 score of 5.9 reflects network attack vector with high attack complexity, requiring no privileges or user interaction, resulting in high availability impact. The vulnerability spans 16 distinct product configurations across Honeywell's process control and safety management product lines, with affected versions ranging from older releases like Experion PKS R510.2 through Safety Manager SC R212.1. Honeywell has released patches for all affected products, and CISA recommends upgrading to the versions specified in Honeywell's Security Notice. No known exploitation in ransomware campaigns has been reported, and the vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog.

Vendor: Honeywell
Product: Experion PKS
CVSS: MEDIUM 5.9
CISA KEV: Not listed in stored evidence
Original CVE published: 2024-04-25
Original CVE updated: 2024-04-25
Advisory published: 2024-04-25
Advisory updated: 2024-04-25

Who should care

Organizations operating Honeywell Experion distributed control systems or Safety Manager safety instrumented systems in critical infrastructure sectors including energy, chemicals, manufacturing, and pharmaceuticals should prioritize assessment and patching. OT security teams, control system engineers, and plant reliability personnel responsible for maintaining high-availability process control environments need to evaluate exposure and implement compensating controls where immediate patching is not feasible.

Technical summary

CVE-2023-5398 is a network-accessible denial-of-service vulnerability in Honeywell's Experion process control and Safety Manager safety instrumented systems. The vulnerability exists in the message handling implementation of Experion Servers and Stations, where specially crafted network messages can trigger a DoS condition. The attack requires network access but no authentication, with high attack complexity limiting ease of exploitation. Affected systems span distributed control systems (Experion PKS, LX, PlantCruise) and safety systems (Safety Manager, Safety Manager SC) across multiple firmware and software versions. Successful exploitation impacts availability of critical industrial control functions but does not compromise confidentiality or integrity. Remediation requires upgrading to Honeywell-provided patched versions per Security Notice SN2024.

Defensive priority

medium

Recommended defensive actions

Upgrade affected Honeywell Experion PKS, Experion LX, PlantCruise by Experion, Safety Manager, and Safety Manager SC systems to the patched versions referenced in Honeywell Security Notice SN2024
Apply network segmentation controls to limit exposure of Experion Servers and Stations to untrusted networks
Monitor for anomalous network traffic targeting Experion systems, particularly unsolicited connection attempts or malformed protocol messages
Review and implement CISA ICS recommended practices for defense-in-depth strategies
Validate that safety instrumented system (SIS) networks containing Safety Manager and Safety Manager SC components are isolated from process control networks per IEC 62443 guidelines

Evidence notes

Vulnerability details sourced from CISA CSAF advisory ICSA-24-116-04. CVSS 3.1 vector confirmed as AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H. Affected product list derived from CSAF product tree with 16 distinct product IDs. Remediation guidance indicates Honeywell provided fixes with specific upgrade paths. No KEV entry present; enrichment fields confirm isKev=false.

Official resources

2024-04-25