Honeywell HscRemoteDeploy.dll ActiveX Control vulnerability

Added: 04/19/2013
CVE: CVE-2013-0108
BID: 58134
OSVDB: 90583

Background

Honeywell offers software solutions which integrate different systems and devices such as HVAC, security, safety, lighting, and energy into a common platform.

Problem

A vulnerability in multiple Honeywell products allows command execution when a user loads a malicious web page which calls the HscRemoteDeploy.dll ActiveX control with specially crafted parameters.

Resolution

Contact Honeywell for an update.

References

http://ics-cert.us-cert.gov/pdf/ICSA-13-053-02A.pdf

Limitations

Exploit works on Honeywell HSCRemoteDeploy ActiveX 5.7.170.410 on Windows XP SP3 English (DEP OptIn) and Windows 7 SP1 (DEP OptIn) and requires a user to open the exploit page in Internet Explorer 8 or 9.

Platforms

Windows

Back to exploit index