CVE-2021-39363
📋 TL;DR
This vulnerability in Honeywell HDZP252DI and HBW2PER1 devices allows attackers to perform ARP cache poisoning, enabling video replay attacks. Attackers can intercept and replay video streams, compromising surveillance integrity. Organizations using these specific Honeywell security devices are affected.
💻 Affected Systems
- Honeywell HDZP252DI
- Honeywell HBW2PER1
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete surveillance system compromise with attackers intercepting, manipulating, and replaying video feeds while maintaining access to the network.
Likely Case
Video feed manipulation and replay enabling false evidence creation or surveillance evasion.
If Mitigated
Limited impact with proper network segmentation and monitoring detecting ARP anomalies.
🎯 Exploit Status
ARP poisoning is a well-known technique, and video replay attacks are straightforward once ARP cache is poisoned.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: HDZP252DI: 1.00.HW02.5 or later, HBW2PER1: 1.000.HW01.4 or later
Restart Required: Yes
Instructions:
1. Download firmware update from Honeywell support portal. 2. Backup device configuration. 3. Apply firmware update via device web interface. 4. Reboot device. 5. Verify firmware version.
🔧 Temporary Workarounds
Network Segmentation
allIsolate affected devices on separate VLANs to limit ARP poisoning scope.
Static ARP Entries
linuxConfigure static ARP entries for critical devices to prevent ARP cache poisoning.
arp -s <ip_address> <mac_address>
🧯 If You Can't Patch
- Segment affected devices on isolated networks with strict access controls.
- Implement network monitoring for ARP spoofing and anomalous traffic patterns.
🔍 How to Verify
Check if Vulnerable:
Check device firmware version via web interface: System > Information > Firmware Version.Check Version:
Not applicable - check via device web interfaceVerify Fix Applied:
Confirm firmware version is HDZP252DI 1.00.HW02.5+ or HBW2PER1 1.000.HW01.4+.📡 Detection & Monitoring
Log Indicators:
- Unusual ARP traffic patterns
- Multiple ARP requests from single source
- ARP table inconsistencies
Network Indicators:
- ARP packets with mismatched IP/MAC addresses
- Unexpected video stream redirections
- Duplicate IP addresses on network
SIEM Query:
source="network" AND (event_type="arp_spoof" OR arp.opcode=2 AND count()>10 per src_mac)🔗 References
- https://buildings.honeywell.com/content/dam/hbtbt/en/documents/downloads/Security_Notification_SN_2022-01-26-01_CVE-2021-39363_Command_Injection_HDZP252DI.pdf
- https://buildings.honeywell.com/us/en/brands/our-brands/security/support-and-resources/product-resources/eol-and-security-notices
- https://www.honeywell.com/us/en/product-security
- https://buildings.honeywell.com/content/dam/hbtbt/en/documents/downloads/Security_Notification_SN_2022-01-26-01_CVE-2021-39363_Command_Injection_HDZP252DI.pdf
- https://buildings.honeywell.com/us/en/brands/our-brands/security/support-and-resources/product-resources/eol-and-security-notices
- https://www.honeywell.com/us/en/product-security
