Honeywell equIP/Performance Series IP Cameras/Recorders Authentication Bypass Vulnerability

Risk

High

Date Discovered

October 31, 2019

Description

Honeywell Tuxedo Touch Controller is prone to a remote authentication-bypass vulnerability. An attacker can exploit this issue to bypass the authentication mechanism and perform unauthorized actions. This may aid in further attacks.

Technologies Affected

  • Honeywell BD3PR1
  • Honeywell BD3PR2
  • Honeywell BD8PR1
  • Honeywell BW2PER1
  • Honeywell BW2PER2
  • Honeywell BW2PR1
  • Honeywell BW2PR2
  • Honeywell BW4PER1
  • Honeywell BW4PER2
  • Honeywell BW4PR1
  • Honeywell BW4PR2
  • Honeywell BW8PR2
  • Honeywell DZP252DI
  • Honeywell ED2PER3
  • Honeywell ED3PR3
  • Honeywell ED8PR1
  • Honeywell EW2PER2
  • Honeywell EW2PER3
  • Honeywell EW2PR1
  • Honeywell EW2PR2
  • Honeywell EW2PRW1
  • Honeywell EW4PER2
  • Honeywell EW4PER2B
  • Honeywell EW4PER3
  • Honeywell EW4PER3B
  • Honeywell EW4PR2
  • Honeywell EW4PR3
  • Honeywell EW4PRW3
  • Honeywell FD5PR1
  • Honeywell H2W2GR1
  • Honeywell H2W2PC1M
  • Honeywell H2W2PER3
  • Honeywell H2W4PER3
  • Honeywell H2W4PRV3
  • Honeywell H3W2GR1
  • Honeywell H3W2GR1V
  • Honeywell H3W2GR2
  • Honeywell H3W4GR1
  • Honeywell H3W4GR1V
  • Honeywell H4D3PRV2
  • Honeywell H4D3PRV3
  • Honeywell H4D8GR1
  • Honeywell H4D8PR1
  • Honeywell H4L2GR1
  • Honeywell H4L2GR1V
  • Honeywell H4L6GR2
  • Honeywell H4LGGR2
  • Honeywell H4W2GR1
  • Honeywell H4W2GR1V
  • Honeywell H4W2GR2
  • Honeywell H4W2PER2
  • Honeywell H4W2PER3
  • Honeywell H4W4GR1
  • Honeywell H4W4GR1V
  • Honeywell H4W8PR2
  • Honeywell HBD3PR1
  • Honeywell HBD3PR2
  • Honeywell HBD8GR1
  • Honeywell HBL2GR1
  • Honeywell HBL2GR1V
  • Honeywell HBL6GR2
  • Honeywell HBW2GR1
  • Honeywell HBW2GR1V
  • Honeywell HBW2GR3
  • Honeywell HBW2GR3V
  • Honeywell HBW2PER1
  • Honeywell HBW2PER2
  • Honeywell HBW4GR1
  • Honeywell HBW4GR1V
  • Honeywell HCD8G
  • Honeywell HCL2G
  • Honeywell HCL2GV
  • Honeywell HCPB302
  • Honeywell HCW2G
  • Honeywell HCW2GV
  • Honeywell HCW4G
  • Honeywell HDZ302D
  • Honeywell HDZ302DE
  • Honeywell HDZ302DIN
  • Honeywell HDZ302DIN-C1
  • Honeywell HDZ302DIN-S1
  • Honeywell HDZ302LIK
  • Honeywell HDZ302LIW
  • Honeywell HDZP252DI
  • Honeywell HDZP304DI
  • Honeywell HEN04102
  • Honeywell HEN04103
  • Honeywell HEN04103L
  • Honeywell HEN04112
  • Honeywell HEN04113
  • Honeywell HEN04122
  • Honeywell HEN04123
  • Honeywell HEN08102
  • Honeywell HEN08103
  • Honeywell HEN08103L
  • Honeywell HEN08104
  • Honeywell HEN08112
  • Honeywell HEN081124
  • Honeywell HEN08113
  • Honeywell HEN08122
  • Honeywell HEN08123
  • Honeywell HEN08142
  • Honeywell HEN08143
  • Honeywell HEN08144
  • Honeywell HEN08162
  • Honeywell HEN16102
  • Honeywell HEN16103
  • Honeywell HEN16103L
  • Honeywell HEN16104
  • Honeywell HEN16122
  • Honeywell HEN16123
  • Honeywell HEN16142
  • Honeywell HEN16143
  • Honeywell HEN16144
  • Honeywell HEN16162
  • Honeywell HEN16163
  • Honeywell HEN16184
  • Honeywell HEN16204
  • Honeywell HEN162244
  • Honeywell HEN16284
  • Honeywell HEN16304
  • Honeywell HEN16384
  • Honeywell HEN32103L
  • Honeywell HEN32104
  • Honeywell HEN321124
  • Honeywell HEN32204
  • Honeywell HEN322164
  • Honeywell HEN32284
  • Honeywell HEN32304
  • Honeywell HEN323164
  • Honeywell HEN32384
  • Honeywell HEN64204
  • Honeywell HEN642164
  • Honeywell HEN64304
  • Honeywell HEN643164
  • Honeywell HEN643324
  • Honeywell HEN643484
  • Honeywell HEPZ302W0
  • Honeywell HFD6GR1
  • Honeywell HM4L8GR1
  • Honeywell HMBL8GR1
  • Honeywell HRHQ1040
  • Honeywell HRHQ1040L
  • Honeywell HRHQ1041
  • Honeywell HRHQ1080
  • Honeywell HRHQ1080L
  • Honeywell HRHQ1081
  • Honeywell HRHQ1082
  • Honeywell HRHQ1160
  • Honeywell HRHQ1161
  • Honeywell HRHQ1162
  • Honeywell HRHQ1164
  • Honeywell HRHT4040
  • Honeywell HRHT4041
  • Honeywell HRHT4042
  • Honeywell HRHT4080
  • Honeywell HRHT4082
  • Honeywell HRHT4084
  • Honeywell HRHT4160
  • Honeywell HRHT41612
  • Honeywell HRHT4162
  • Honeywell HRHT4164
  • Honeywell HRHT4166
  • Honeywell HSW2G1
  • Honeywell HSWB2G1
  • Honeywell PW2P1

Recommendations

Run all software as a nonprivileged user with minimal access rights.
To reduce the impact of latent vulnerabilities, run the application with the minimal amount of privileges required for functionality.

Deploy network intrusion detection systems to monitor network traffic for malicious activity.
Deploy NIDS to monitor network traffic for signs of anomalous or suspicious activity including unexplained incoming and outgoing traffic. This may indicate exploit attempts or activity that results from successful exploits.

Updates are available. Please see the references or vendor advisory for more information.

References

Credits

Honeywell


© 1995- Symantec Corporation

Permission to redistribute this alert electronically is granted as long as it is not edited in any way unless authorized by Symantec Security Response. Reprinting the whole or part of this alert in any medium other than electronically requires permission from secure@symantec.com.

Disclaimer

The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.

Symantec, Symantec products, Symantec Security Response, and secure@symantec.com are registered trademarks of Symantec Corp. and/or affiliated companies in the United States and other countries. All other registered and unregistered trademarks represented in this document are the sole property of their respective companies/owners.