After giving the market two extra months for patching and also
contacting some of the affected national CERTs Outpost24 today released
the vulnerability details for CVE-2014-2717.
This vulnerability consists of a missing access restriction in
combination with a flawed login function, resulting in something as
exotic as a pass the hash vulnerability to authenticate with a SCADA
system, giving administrative access.*

*TL;DR; The Honeywell Falcon (XLWeb Linux/Webserver) contains a
vulnerability which allows anyone, even without knowing the username or
password, to log in as an administrator in the system. Although
information regarding the presence of the vulnerability has been
available for a few months since its open disclosure by the ISC CERT to
member organizations, there are multiple unpatched systems that remain
exposed to the Internet. Outpost24 have waited for an airport we were
aware of were affected to patch before releasing.

The more full information is available here;
http://www.outpost24.com/cve-2014-2717-attacking-the-honeywell-falcon-xlweb/

References:
https://ics-cert.us-cert.gov/advisories/ICSA-14-175-01
CVE-2014-2717


AFFECTED PRODUCTS
The following Honeywell FALCON XLWeb controller versions are affected:

  * FALCON Linux 2.04.01 or older
  * FALCON XLWebExe 2.02.11 or older.

IMPACT
An attacker may use these vulnerabilities to generate a valid login for
an administrative user in the Honeywell FALCON XLWeb controller
obtaining full administrator access to the system.

The impact to individual organizations depends on many factors that are
unique to each organization. ICS-CERT recommends that organizations
evaluate the impact of this vulnerability based on their operational
environment, architecture and product implementation.

The affected products, FALCON XLWeb controllers, are web-based SCADA
systems. According to Honeywell, FALCON XLWeb controllers are deployed
across several industries including critical manufacturing, energy and
wastewater systems among others. According to Honeywell, the affected
controllers are used by customers primarily in Europe and the Middle East.

Outpost24 would like to direct a thank you to Honeywell and ICS CERT for
their fast work in resolving the problems, and we also completely share
the vendors recommendation that SCADA systems already in the first place
should not be internet facing. The vendor have been a pleasure to work
with and have taken every care to resolve the issue timely.


Martin Jartelius
CSO
Outpost24
www.outpost24.com