Honeywell TEMA Remote Installer ActiveX Vulnerability
October 12, 2011
Independent security researchers Billy Rios and Terry
McCorkle responsibly dislosed to ICS-CERT a vulnerability
affecting Honeywell Enterprise Buildings Integrator (EBI)
software systems that have Temaline physical access control
products installed. Temaline client products use the Tema
Remote Installer to download and install required Tema
components for client workstation access.
Tema Remote Installer uses DownloadURL() ActiveX function
configured to ignore file authentication. This misuse of an
ActiveX function allows download and installation of any MSI
file without checking source authenticity or user
notification.
Successful exploits will allow attackers to download a
malicious file onto a victims computer and execute arbitrary
code within the context of the application that uses the
ActiveX control (typically Internet Explorer).
According to Honeywell, the following EBI product versions
are affected:
- EBI R310.1 - TEMA 4.8
- EBI R310.1 - TEMA 4.9
- EBI R310.1 - TEMA 4.10
- EBI R400.2 SP1 - TEMA 5.2
- EBI R410.1 - TEMA 5.3.0
- EBI R410.2 - TEMA 5.3.1
SCADAhacker
comment:
Billy Rios and Terry McCorkle presented at DerbyCon 2011
a session entitled "100 Bugs in 100 Days: An Analysis of ICS
(SCADA) Software". You can view the presentation by
clicking here.