Flaws in industrial gas detectors exploitable by low-skilled attackers

Two industrial gas detector product lines manufactured by Honeywell sport two remotely exploitable vulnerabilities that can allow an attacker to retrieve the user’s password and to bypass the authentication process.

The latter capability would permit the attacker to gain access to the device, to make unauthorized configuration changes, and to start the calibration or test processes.

“An attacker with low skill would be able to exploit these vulnerabilities,” ICS-CERT warned in a recently released security advisory.

Luckily, the company has already come up with fixes, which are included in the latest firmware versions for the Midas and Midas Black gas detectors, which can be downloaded from here (within the “Software” tab).

“According to Honeywell, Midas gas detectors are deployed across several sectors including Chemical, Commercial Facilities, Critical Manufacturing, Energy, Food and Agriculture, Water and Wastewater Systems. Honeywell estimates that these products are used worldwide,” ICS-CERT notes. “Impact to individual organizations depends on many factors that are unique to each organization.”

Both ICS-CERT and Honeywell shared some risk mitigation techniques in case the updates can’t be implemented immediately. They include keeping control system devices and/or systems off the Internet, putting them behind firewalls and isolated from the business network, using VPNs when accessing the systems remotely, and allowing only trained and trusted persons to have physical access to the system.

The flaws have been identified by independent researcher Maxim Rupp, and so far there are no known public exploits for targeting them.