A series of web-based SCADA controllers from manufacturer Honeywell have been shown to be vulnerable. Germany-based security researcher Maxim Rupp publicly disclosed them late last month after they were privately disclosed in August 2016 and recently published a blogpost disclosing the vulnerabilities in Honeywell's XL Web II controllers.
Rupp's advisory details a variety of vulnerabilities including insufficient protected credentials and plain text storage of passwords. On top of that, the advisory notes that though those users using “guest” groups are properly restricted, a malicious user could access previously barred functions by accessing a specific URL, allowing them to obtain sensitive information. The Web controllers are also apparently vulnerable to Path Traversal Attacks, which according to the advisory “allows a malicious user to access files that reside outside the web document root directory on the host system.”
The controllers which are manufactured by Honeywell are used widely across critical infrastructure, being used mostly in Europe and the Middle East according to Honeywell.
Honeywell developed a fix for this in September 2016, version 3.04.05.05, which users can get if they contact their local HBS branch.Neither Honeywell nor Rupp responded to requests for commentary.