CVE-2020-6972
📋 TL;DR
This vulnerability allows attackers to bypass authentication on Honeywell Fire Web Server by capturing and replaying authentication requests from a web browser. It affects Honeywell Notifier Web Server (NWS) versions 3.50 and earlier, potentially exposing fire alarm monitoring systems to unauthorized access.
💻 Affected Systems
- Honeywell Notifier Web Server (NWS)
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of fire alarm monitoring system allowing attackers to disable alarms, manipulate sensor data, or gain control of connected building systems.
Likely Case
Unauthorized access to fire alarm monitoring interface allowing viewing of sensitive building information and potential manipulation of alarm status.
If Mitigated
Limited impact if system is isolated behind firewalls with strict network segmentation and access controls.
🎯 Exploit Status
Attack requires capturing authentication traffic and replaying it, which can be done with standard web browser tools. No special tools or deep technical knowledge required.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 3.60 or later
Vendor Advisory: https://www.us-cert.gov/ics/advisories/icsa-20-051-03
Restart Required: Yes
Instructions:
1. Contact Honeywell for NWS version 3.60 or later. 2. Backup current configuration. 3. Install the updated version following Honeywell's installation guide. 4. Restart the NWS service. 5. Verify authentication is working properly.
🔧 Temporary Workarounds
Network Segmentation
allIsolate NWS server from untrusted networks and restrict access to authorized IP addresses only.
VPN Access Only
allRequire VPN connection for all access to NWS web interface.
🧯 If You Can't Patch
- Implement strict network access controls allowing only authorized management stations to connect to NWS
- Deploy web application firewall (WAF) with authentication bypass protection rules
🔍 How to Verify
Check if Vulnerable:
Check NWS version in web interface or configuration files. If version is 3.50 or earlier, system is vulnerable.Check Version:
Check web interface login page or consult NWS configuration documentation for version check procedure.Verify Fix Applied:
After patching, verify version shows 3.60 or later and test authentication with invalid credentials to ensure they are rejected.📡 Detection & Monitoring
Log Indicators:
- Multiple failed authentication attempts followed by successful access from same IP
- Authentication requests with unusual timing patterns
- Access from unauthorized IP addresses
Network Indicators:
- Repeated authentication requests with identical parameters
- HTTP traffic to NWS web interface from unexpected sources
- Unencrypted authentication traffic capture
SIEM Query:
source="NWS" AND (event_type="authentication" AND result="success" AND previous_attempts>3) OR (src_ip NOT IN allowed_ips AND dest_port=80 OR dest_port=443)