Honeywell HscRemoteDeploy.dll ActiveX Control vulnerability
Added: 04/19/2013CVE: CVE-2013-0108
BID: 58134
OSVDB: 90583
Background
Honeywell offers software solutions which integrate different systems and devices such as HVAC, security, safety, lighting, and energy into a common platform.Problem
A vulnerability in multiple Honeywell products allows command execution when a user loads a malicious web page which calls the HscRemoteDeploy.dll ActiveX control with specially crafted parameters.Resolution
Contact Honeywell for an update.References
http://ics-cert.us-cert.gov/pdf/ICSA-13-053-02A.pdfLimitations
Exploit works on Honeywell HSCRemoteDeploy ActiveX 5.7.170.410 on Windows XP SP3 English (DEP OptIn) and Windows 7 SP1 (DEP OptIn) and requires a user to open the exploit page in Internet Explorer 8 or 9.Platforms
WindowsBack to exploit index