Security News > 2023 > July > Critical Security Flaws Uncovered in Honeywell Experion DCS and QuickBlox Services
Multiple security vulnerabilities have been discovered in various services, including Honeywell Experion distributed control system and QuickBlox, that, if successfully exploited, could result in severe compromise of affected systems.
Dubbed Crit.IX, the nine flaws in the Honeywell Experion DCS platform allow for "Unauthorized remote code execution, which means an attacker would have the power to take over the devices and alter the operation of the DCS controller, whilst also hiding the alterations from the engineering workstation that manages the controller," Armis said in a statement shared with The Hacker News.
Put differently, the issues relate to lack of encryption and adequate authentication mechanisms in a proprietary protocol called Control Data Access that's used to communicate between Experion Servers and C300 controllers, effectively enabling a threat actor to take over the devices and alter the operation of the DCS controller.
In a related development, Check Point and Claroty uncovered major flaws in a chat and video calling platform known as QuickBlox that's widely used in telemedicine, finance, and smart IoT devices.
"As a result, we were able to take over all Rozcom intercom devices, giving us full control and allowing us to access device cameras and microphones, wiretap into its feed, open doors managed by the devices, and more," the researchers said.
Rounding off the list is the discovery of hard-coded credentials in Technicolor TG670 DSL gateway routers that could be weaponized by an authenticated user to gain full administrative control of the devices.
News URL
https://thehackernews.com/2023/07/critical-security-flaws-uncovered-in.html
Related news
- HPE Issues Critical Security Patches for Aruba Access Point Vulnerabilities (source)
- Major security audit of critical FreeBSD components now available (source)
- Ivanti Issues Critical Security Updates for CSA and Connect Secure Vulnerabilities (source)
- Critical security hole in Apache Struts under exploit (source)