CVE-2023-5401 Honeywell CVE debrief

Who should care

Organizations operating Honeywell Experion distributed control systems or Safety Manager safety instrumented systems in critical infrastructure sectors including oil and gas, chemicals, power generation, pharmaceuticals, and manufacturing. Asset owners with Experion Servers or Stations accessible from operational networks should prioritize assessment. Safety engineers responsible for Safety Manager and Safety Manager SC configurations must evaluate patch applicability during safety system maintenance planning. ICS security teams monitoring OT networks for anomalous activity should include these systems in threat hunting scope.

Technical summary

CVE-2023-5401 encompasses vulnerabilities in Honeywell's Experion distributed control systems and Safety Manager safety instrumented systems. The vulnerabilities exist in the message handling implementations of Experion Servers and Stations, where insufficient validation of network messages allows attackers to trigger denial-of-service conditions or execute arbitrary code. The CVSS 3.1 score of 8.1 reflects network attackability, high complexity, and complete confidentiality, integrity, and availability impacts. Affected versions span multiple release trains: Experion PKS versions prior to R510.2 HF14, R511.5 TCU4 HF4, R520.1 TCU5, and R520.2 TCU4 HF2; Experion LX and PlantCruise versions prior to R511.5 TCU4 HF4, R520.1 TCU5, and R520.2 TCU4 HF2; Safety Manager R15x and R16x through R162.10; and Safety Manager SC versions R210.X, R211.1, R211.2, and R212.1. The safety system exposures are particularly critical given their role in process safety shutdown functions.

Defensive priority

HIGH

Recommended defensive actions

• Apply Honeywell security updates referenced in Security Notice SN2024 to all affected Experion PKS, Experion LX, PlantCruise, Safety Manager, and Safety Manager SC systems
• Prioritize patching of Experion Servers and Stations exposed to network access
• Implement network segmentation to isolate affected industrial control systems from untrusted networks
• Monitor for anomalous network traffic targeting Experion systems, particularly specially crafted messages
• Review and apply CISA ICS recommended practices for defense-in-depth strategies
• Ensure safety instrumented systems (Safety Manager, Safety Manager SC) are patched during planned maintenance windows to maintain safety integrity
• Verify patch levels against Honeywell's security notice to confirm remediation coverage across all 16 affected product configurations

Evidence notes

CVE published and modified 2024-04-25. CISA ICS advisory ICSA-24-116-04 issued same date. CVSS 3.1 vector: AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H. Affects 16 product configurations across 5 product families. Not listed in CISA KEV catalog.

Official resources