PatchSiren cyber security CVE debrief

CVE-2023-5403 Honeywell CVE debrief

CVE-2023-5403 is a high-severity vulnerability affecting multiple Honeywell industrial control systems, including Experion PKS, Experion LX, PlantCruise by Experion, Safety Manager, and Safety Manager SC. Published on April 25, 2024, this vulnerability allows remote attackers to cause denial-of-service conditions or execute arbitrary code on Experion Servers or Stations by sending specially crafted network messages. The CVSS 3.1 score of 8.1 reflects high impact across confidentiality, integrity, and availability, with network attack vector and high attack complexity. Sixteen distinct product versions are affected across the five product families, spanning multiple release trains including R510.x, R511.x, R520.x for Experion systems, R15x and R16x for Safety Manager, and R210.x through R212.1 for Safety Manager SC. Honeywell has released patches for all affected versions, and users should upgrade to the fixed versions referenced in Honeywell Security Notice SN2024. Given the critical nature of these systems in industrial process control and safety instrumented systems, immediate patching is recommended, with network segmentation and defense-in-depth controls as compensating measures where patching cannot occur immediately.

Vendor: Honeywell
Product: Experion PKS
CVSS: HIGH 8.1
CISA KEV: Not listed in stored evidence
Original CVE published: 2024-04-25
Original CVE updated: 2024-04-25
Advisory published: 2024-04-25
Advisory updated: 2024-04-25

Who should care

Organizations operating Honeywell Experion PKS, Experion LX, PlantCruise by Experion, Safety Manager, or Safety Manager SC systems in industrial environments, including chemical processing, oil and gas, power generation, and manufacturing facilities. Critical infrastructure operators with safety instrumented systems should prioritize assessment due to potential safety implications of compromised control or safety systems.

Technical summary

CVE-2023-5403 affects Honeywell's Experion process knowledge systems and Safety Manager safety instrumented systems. The vulnerability resides in network message handling within Experion Servers and Stations, where insufficient validation of crafted messages permits both denial-of-service and remote code execution outcomes. The attack requires network access but no authentication or user interaction. Sixteen specific product versions are impacted across five product families: Experion PKS (R510.2 HF14 and earlier, R511.5 TCU4 HF4 and earlier, R520.1 TCU5 and earlier, R520.2 TCU4 HF2 and earlier), Experion LX (R511.5 TCU4 HF4 and earlier, R520.1 TCU5 and earlier, R520.2 TCU4 HF2 and earlier), PlantCruise by Experion (same version ranges as Experion LX), Safety Manager (R15x, R16x through R162.10), and Safety Manager SC (R210.X, R211.1, R211.2, R212.1). Honeywell has addressed these issues in subsequent releases; specific patched versions are documented in Security Notice SN2024.

Defensive priority

critical

Recommended defensive actions

Upgrade affected Honeywell Experion PKS, Experion LX, PlantCruise by Experion, Safety Manager, and Safety Manager SC systems to the patched versions referenced in Honeywell Security Notice SN2024
Apply network segmentation to isolate affected Experion Servers and Stations from untrusted networks
Implement defense-in-depth controls including host-based firewalls and application whitelisting where immediate patching is not feasible
Monitor for anomalous network traffic targeting Experion Server and Station services
Review and apply CISA ICS recommended practices for industrial control system security

Evidence notes

Vulnerability details sourced from CISA CSAF advisory ICSA-24-116-04 published April 25, 2024. CVSS 3.1 vector AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H confirmed in source. Affected product list derived from CSAF product tree with 16 CSAFPID entries. Remediation guidance references Honeywell Security Notice SN2024.

Official resources

2024-04-25