October 12, 2011

Independent security researchers Billy Rios and Terry McCorkle responsibly dislosed to ICS-CERT a vulnerability affecting Honeywell Enterprise Buildings Integrator (EBI) software systems that have Temaline physical access control products installed. Temaline client products use the Tema Remote Installer to download and install required Tema components for client workstation access.

Tema Remote Installer uses DownloadURL() ActiveX function configured to ignore file authentication. This misuse of an ActiveX function allows download and installation of any MSI file without checking source authenticity or user notification.

Successful exploits will allow attackers to download a malicious file onto a victims computer and execute arbitrary code within the context of the application that uses the ActiveX control (typically Internet Explorer).

According to Honeywell, the following EBI product versions are affected:
- EBI R310.1 - TEMA 4.8
- EBI R310.1 - TEMA 4.9
- EBI R310.1 - TEMA 4.10
- EBI R400.2 SP1 - TEMA 5.2
- EBI R410.1 - TEMA 5.3.0
- EBI R410.2 - TEMA 5.3.1

SCADAhacker comment:
Billy Rios and Terry McCorkle presented at DerbyCon 2011 a session entitled "100 Bugs in 100 Days: An Analysis of ICS (SCADA) Software". You can view the presentation by clicking here.

ICSA-11-285-01

EBI Product Homepage

Attackers can exploit this issue by tricking an unsuspecting victim into visiting a malicious webpage.

Not available at this time.

IBM Internet Security Systems #70529
Secunia Advisory #46497
Secunia Vulnerability Report and Statistics on EBI Teamline 4.x
Secunia Vulnerability Report and Statistics on EBI Teamline 5.x
Secunia Vulnerability Report and Statistics on EBI Teamline Remote Installer ActiveX Control
Security Focus Vulnerability Info and Exploit Bugtraq ID 50078

Patches for Building Automation Software (ISSSource)