CVE-2023-5406 Honeywell CVE debrief

Who should care

Organizations operating Honeywell Experion PKS, Experion LX, PlantCruise by Experion distributed control systems, or Safety Manager/Safety Manager SC safety instrumented systems in critical infrastructure sectors including oil and gas, chemical manufacturing, power generation, and pharmaceuticals. Asset owners in OT/ICS security roles, control system engineers, and safety system administrators should prioritize assessment and remediation. Organizations subject to IEC 61511 or ISA-84 functional safety standards should evaluate potential safety implications of controller message manipulation vulnerabilities.

Technical summary

CVE-2023-5406 is a message manipulation vulnerability in Honeywell's Experion distributed control systems and Safety Manager safety instrumented systems. The flaw exists in how Experion Servers and Stations process messages from controllers, allowing an attacker with network access to send specially crafted messages that can crash the system (denial-of-service) or execute arbitrary code remotely. The attack complexity is rated high, suggesting the exploit requires specific conditions or detailed knowledge of the controller protocol. The vulnerability affects 16 distinct product/version combinations across five product families, indicating a common underlying code base or protocol implementation issue. Remediation requires upgrading to patched versions specified in Honeywell Security Notice SN2024. Given the safety-critical nature of Safety Manager systems, this vulnerability presents elevated risk in environments where safety instrumented systems protect against hazardous conditions.

Defensive priority

high

Recommended defensive actions

• Apply Honeywell security updates to affected Experion PKS, Experion LX, PlantCruise by Experion, Safety Manager, and Safety Manager SC systems per vendor guidance in Security Notice SN2024
• Segment industrial control networks to limit network access to Experion Servers and Stations from untrusted or compromised controller networks
• Monitor controller-to-server communication channels for anomalous message patterns that may indicate manipulation attempts
• Implement defense-in-depth strategies for industrial control systems per CISA recommended practices
• Review and validate controller integrity and authentication mechanisms to prevent message manipulation
• Prioritize patching of Safety Manager and Safety Manager SC systems given their critical safety function in industrial environments

Evidence notes

Vulnerability disclosed via CISA ICS advisory ICSA-24-116-04 on April 25, 2024. Affects Experion PKS versions prior to R510.2_HF14, R511.5_TCU4_HF4, R520.1_TCU5, and R520.2_TCU4_HF2; Experion LX versions prior to R511.5_TCU4_HF4, R520.1_TCU5, and R520.2_TCU4_HF2; PlantCruise by Experion versions prior to R511.5_TCU4_HF4, R520.1_TCU5, and R520.2_TCU4_HF2; Safety Manager R15x and R16x through R162.10; and Safety Manager SC versions R210.X, R211.1, R211.2, and R212.1. Attack requires network access and manipulation of controller messages, indicating the threat actor must have compromised or spoofed controller communications.

Official resources