Vulnerability Alert: Honeywell Experion DCS and QuickBlox Services Expose Critical Security Weaknesses

Security researchers have uncovered multiple vulnerabilities in various services, including Honeywell Experion distributed control system (DCS) and QuickBlox, which could have severe consequences if exploited successfully.

Referred to as Crit.IX, these nine flaws in the Honeywell Experion DCS platform enable unauthorized remote code execution. This means that an attacker could take control of the devices and manipulate the DCS controller’s operation while concealing these changes from the engineering workstation managing the controller. The vulnerabilities stem from a lack of encryption and proper authentication mechanisms in the Control Data Access (CDA) protocol used for communication between Experion Servers and C300 controllers. Consequently, threat actors can impersonate both the controller and the server, and design flaws in the CDA protocol may lead to buffer overflows.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has rated seven of the nine vulnerabilities with a CVSS score of 9.8 out of 10, indicating their critical severity. The remaining two vulnerabilities have a rating of 7.5. Exploiting these vulnerabilities could result in denial-of-service, privilege escalation, or remote code execution.

In a related discovery, Check Point and Claroty identified significant flaws in QuickBlox, a chat and video calling platform widely used in telemedicine, finance, and smart IoT devices. These vulnerabilities could allow attackers to extract user databases from various popular applications incorporating QuickBlox SDK and API. The researchers found additional bugs (CVE-2023-31184 and CVE-2023-31185) in the mobile app of Rozcom, an Israeli vendor offering intercom systems. These bugs enabled the download of all user databases, user impersonation, and full account takeover, granting complete control over Rozcom intercom devices, including access to cameras, microphones, and the ability to manipulate door functions.

Additionally, this week saw the disclosure of remote code execution vulnerabilities affecting Aerohive/Extreme Networks access points running HiveOS/Extreme IQ Engine versions before 10.6r2 and the Ghostscript library (CVE-2023-36664). The Ghostscript vulnerability, with a CVSS score of 9.8, allows arbitrary command execution. It is worth noting that Ghostscript is a widely used package with multiple applications that could potentially be affected by the exploit.

Security weaknesses have also been revealed in two Golang-based open-source platforms: Owncast (CVE-2023-3188) and EaseProbe (CVE-2023-33967). These vulnerabilities could facilitate Server-Side Request Forgery (SSRF) and SQL injection attacks, respectively.

Lastly, hard-coded credentials have been discovered in Technicolor TG670 DSL gateway routers, enabling authenticated users to gain full administrative control over the devices. Remote attackers can exploit default usernames and passwords to access the router’s administrative settings and utilize the device in unexpected ways.

To mitigate potential risks, users are advised to disable remote administration on their devices and consult service providers for available patches and updates.