Honeywell Maxpro VMS/NVR systems vulnerable to hijacking

Honeywell’s Maxpro VMS and NVR, network video recorders and video management systems deployed in commercial, manufacturing and energy facilities around the world, sport critical vulnerabilities that may allow attackers to take control of them.

Patches available for the Honeywell Maxpro vulnerabilities

Two vulnerabilities have been discovered and reported by Joachim Kerschbaumer:

• CVE-2020-6959, stemming from an unsafe deserialization of untrusted data, which could allowed an attacker to remotely modify deserialized data using a specially crafted web request, resulting in remote code execution
• CVE-2020-6960, a SQL injection vulnerability that could be exploited by attackers to achieve remote access to the devices’ web user interface with administrator-level privileges.

Both vulnerabilities have been deemed to be critical by the ICS-CERT, as they can be exploited remotely without authentication by low-skilled attackers.

Honeywell assigned somewhat lesser CVSS scores to the vulnerabilities, as it claims they can be exploited only by skilled hackers.

The good news is that there is no public PoC that could help them craft an exploit and no ready-to-use public exploit. Also: Honeywell had already plugged the security holes.

Users are advised to upgrade MAXPRO VMS and NVR to versions R560 and 5.6, respectively, before applying the T2-Patch.

The updates and patches are available at the Honeywell’s MyWebTech site (you have to have a user account/access credentials).