CISA is warning organizations in the manufacturing sector about a critical vulnerability in Honeywell’s SoftMaster desktop tool that can enable an attacker to run arbitrary code.
The vulnerability (CVE-2022-2333) affects version 4.51 of SoftMaster, a desktop application used by engineers to program Honeywell programmable logic controllers (PLC). PLCs are dedicated computers used in industrial settings to control specific processes and machines. They’re prevalent in a wide range of industries, and Honeywell’s PLCs are widely deployed.
“If an attacker manages to trick a valid user into loading a malicious DLL, the attacker may be able to achieve code execution in the application’s context and permissions,” CISA said in its advisory Tuesday.
There is a second, less serious, flaw in the same version of SoftMaster that can allow a local user to escalate privileges.
“A local unprivileged attacker may escalate to administrator privileges, due to insecure permission assignment,” the advisory says.
Researchers on Claroty’s Team82 discovered the vulnerabilities and disclosed them to Honeywell, which has released updates to SoftMaster to address the bugs.
“These are two local privilege escalation vulnerabilities that can be abused to gain admin privileges, depending on the user’s permissions. Both vulnerabilities are relatively simple to exploit once an attacker has local access to the SoftMaster application,” said Noam Moshe, a vulnerability researcher on Team82.
“An attacker with this type of local access could disrupt a physical process, either by shutting it down or forcing it to perform operations that could impact safety and reliability.”
Organizations running vulnerable versions of SoftMaster should update as soon as possible, and if upgrading isn’t practical right away, isolate vulnerable systems from the Internet.