CVE-2022-30243 – Honeywell Alerton Visual Logic controllers allo... (How to Fix)

Q: What is the severity of CVE-2022-30243?

CVE-2022-30243 has a CVSS score of 8.8 (HIGH). Honeywell Alerton Visual Logic controllers allow unauthenticated remote users to write and execute arbitrary code without verification. This enables attackers to alter or stop controller programs, potentially disrupting building automation systems. Organizations using affected Honeywell Alerton controllers through May 4, 2022 are vulnerable.

📋 TL;DR

Honeywell Alerton Visual Logic controllers allow unauthenticated remote users to write and execute arbitrary code without verification. This enables attackers to alter or stop controller programs, potentially disrupting building automation systems. Organizations using affected Honeywell Alerton controllers through May 4, 2022 are vulnerable.

💻 Affected Systems

Products:

Honeywell Alerton Visual Logic controllers

Versions: All versions through 2022-05-04

Operating Systems: Proprietary controller OS

Default Config Vulnerable: ⚠️ Yes

Notes: Affects controllers with Visual Logic programming capability. Default configuration appears vulnerable based on advisory.

📦 What is this software?

Alterton Visual Logic Firmware by Honeywell

View all CVEs affecting Alterton Visual Logic Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of building automation systems leading to physical disruption (HVAC shutdown, safety system manipulation), environmental damage, or safety hazards.

🟠

Likely Case

Unauthorized program modification causing operational disruption, equipment damage, or denial of service in building control systems.

🟢

If Mitigated

Limited impact with network segmentation and access controls preventing unauthorized network access to controllers.

🌐 Internet-Facing: HIGH - Controllers exposed to internet allow unauthenticated remote code execution without any credentials.

🏢 Internal Only: HIGH - Even internally, unauthenticated exploitation allows any network user to compromise controllers.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public proof-of-concept available from Scadafence. Exploitation requires sending crafted packets to controller.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions after 2022-05-04

Vendor Advisory: https://www.honeywell.com/us/en/product-security

Restart Required: Yes

Instructions:

1. Contact Honeywell for updated firmware. 2. Backup controller configurations. 3. Apply firmware update following vendor instructions. 4. Restart controller. 5. Verify program integrity.

🔧 Temporary Workarounds

Network segmentation and access control

all

Isolate Alerton controllers on separate VLAN with strict firewall rules limiting access to authorized management stations only.

Disable remote programming

all

If supported by configuration, disable remote programming writes to controllers.

🧯 If You Can't Patch

Implement strict network segmentation with firewall rules blocking all unnecessary traffic to controllers
Deploy network monitoring and intrusion detection specifically for SCADA protocols and alert on unauthorized programming writes

🔍 How to Verify

Check if Vulnerable:

Check controller firmware version date. If before or equal to 2022-05-04, likely vulnerable. Test with authorized penetration testing tools only.

Check Version:

Check via Alerton programming software or controller web interface for firmware version/date.

Verify Fix Applied:

Verify firmware version is after 2022-05-04. Test that unauthenticated programming writes are rejected.

📡 Detection & Monitoring

Log Indicators:

Unauthorized programming write attempts in controller logs
Unexpected program changes or stops

Network Indicators:

Unusual BACnet or proprietary protocol traffic to controllers from unauthorized sources
Crafted packets matching exploit patterns

SIEM Query:

source_ip NOT IN (authorized_management_ips) AND (protocol:BACnet OR port:47808) AND (event_type:write OR program_change)

📊 Metadata

CVE ID: CVE-2022-30243

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-829

Published: July 15, 2022

Last Updated: November 21, 2024

🔗 References

https://blog.scadafence.com Not Applicable
https://github.com/scadafence/Honeywell-Alerton-Vulnerabilities Third Party Advisory
https://www.honeywell.com/us/en/product-security Vendor Advisory
https://blog.scadafence.com Not Applicable
https://github.com/scadafence/Honeywell-Alerton-Vulnerabilities Third Party Advisory
https://www.honeywell.com/us/en/product-security Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-30243, you might also want to check these: