Details of VAR-201302-0202

ID

VAR-201302-0202

CVE

CVE-2013-0108

TITLE

plural Honeywell Product HscRemoteDeploy.dll Vulnerable to arbitrary code execution

Trust: 0.8

sources: JVNDB: JVNDB-2013-001676

DESCRIPTION

An ActiveX control in HscRemoteDeploy.dll in Honeywell Enterprise Buildings Integrator (EBI) R310, R400.2, R410.1, and R410.2; SymmetrE R310, R410.1, and R410.2; ComfortPoint Open Manager (aka CPO-M) Station R100; and HMIWeb Browser client packages allows remote attackers to execute arbitrary code via a crafted HTML document. Honeywell is a manufacturing company focused on automation control. An unspecified error in the Honeywell multiple product HscRemoteDeploy.dll module allows an attacker to build a malicious WEB page, entice the user to parse, and execute arbitrary code in the application context. The following products are affected by this vulnerability: * Honeywell Enterprise Buildings Integrator (EBI) R310, R400.2, R410.1, and R410.2* Honeywell SymmetrE R310, R410.1, and R410.2* Honeywell ComfortPoint Open Manager (CPO- M) R100. Multiple Honeywell products are prone to a remote code-execution vulnerability because they fail to properly validate user-supplied input. Failed exploit attempts likely result in denial-of-service conditions. The following products are vulnerable: Honeywell EBI Honeywell SymmetrE Honeywell CPO-M

Trust: 2.61

sources: NVD: CVE-2013-0108 // JVNDB: JVNDB-2013-001676 // CNVD: CNVD-2013-01315 // BID: 58134 // IVD: 128c213c-2353-11e6-abef-000c29c66e3d

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 0.8

sources: IVD: 128c213c-2353-11e6-abef-000c29c66e3d // CNVD: CNVD-2013-01315

AFFECTED PRODUCTS

vendor:	honeywell	model:	comfortpoint open manager station	scope:	eq	version:	r100	Trust: 2.4
vendor:	honeywell	model:	enterprise buildings integrator	scope:	eq	version:	r310	Trust: 2.4
vendor:	honeywell	model:	enterprise buildings integrator	scope:	eq	version:	r400.2	Trust: 2.4
vendor:	honeywell	model:	enterprise buildings integrator	scope:	eq	version:	r410.1	Trust: 2.4
vendor:	honeywell	model:	enterprise buildings integrator	scope:	eq	version:	r410.2	Trust: 2.4
vendor:	honeywell	model:	symmetre	scope:	eq	version:	r310	Trust: 2.4
vendor:	honeywell	model:	symmetre	scope:	eq	version:	r410.1	Trust: 2.4
vendor:	honeywell	model:	symmetre	scope:	eq	version:	r400.2	Trust: 1.6
vendor:	honeywell	model:	symmetre	scope:	eq	version:	r410.2	Trust: 0.8
vendor:	honeywell	model:	comfortpoint open manager	scope:	-	version:	-	Trust: 0.6
vendor:	honeywell	model:	symmetre	scope:	-	version:	-	Trust: 0.6
vendor:	honeywell	model:	enterprise buildings integrator	scope:	-	version:	-	Trust: 0.6
vendor:	honeywell	model:	ebi r410.2	scope:	-	version:	-	Trust: 0.3
vendor:	honeywell	model:	ebi r410.1	scope:	-	version:	-	Trust: 0.3
vendor:	buildings integrator	model:	r310	scope:	-	version:	-	Trust: 0.2
vendor:	buildings integrator	model:	r400.2	scope:	-	version:	-	Trust: 0.2
vendor:	buildings integrator	model:	r410.1	scope:	-	version:	-	Trust: 0.2
vendor:	buildings integrator	model:	r410.2	scope:	-	version:	-	Trust: 0.2
vendor:	symmetre	model:	r310	scope:	-	version:	-	Trust: 0.2
vendor:	symmetre	model:	r400.2	scope:	-	version:	-	Trust: 0.2
vendor:	symmetre	model:	r410.1	scope:	-	version:	-	Trust: 0.2
vendor:	comfortpoint open manager station	model:	r100	scope:	-	version:	-	Trust: 0.2

sources: IVD: 128c213c-2353-11e6-abef-000c29c66e3d // CNVD: CNVD-2013-01315 // BID: 58134 // JVNDB: JVNDB-2013-001676 // CNNVD: CNNVD-201302-554 // NVD: CVE-2013-0108

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2013-0108
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2013-0108
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-201302-554
value:	MEDIUM
Trust: 0.6
IVD:	128c213c-2353-11e6-abef-000c29c66e3d
value:	MEDIUM
Trust: 0.2

nvd@nist.gov:	CVE-2013-0108
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
IVD:	128c213c-2353-11e6-abef-000c29c66e3d
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.9 [IVD]
Trust: 0.2

sources: IVD: 128c213c-2353-11e6-abef-000c29c66e3d // JVNDB: JVNDB-2013-001676 // CNNVD: CNNVD-201302-554 // NVD: CVE-2013-0108

PROBLEMTYPE DATA

problemtype:

CWE-94

Trust: 1.8

sources: JVNDB: JVNDB-2013-001676 // NVD: CVE-2013-0108

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201302-554

TYPE

Code injection

Trust: 0.8

sources: IVD: 128c213c-2353-11e6-abef-000c29c66e3d // CNNVD: CNNVD-201302-554

CONFIGURATIONS

sources: JVNDB: JVNDB-2013-001676

PATCH

title:	Top Page	url:	http://honeywell.com/Pages/Home.aspx	Trust: 0.8
title:	Top Page	url:	http://honeywell.com/sites/jp/Pages/home.aspx	Trust: 0.8
title:	Patch of multiple Honeywell products 'HscRemoteDeploy.dll' Activex Control Remote Code Execution Vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/32332	Trust: 0.6

sources: CNVD: CNVD-2013-01315 // JVNDB: JVNDB-2013-001676

EXTERNAL IDS

db:	NVD	id:	CVE-2013-0108	Trust: 3.5
db:	ICS CERT	id:	ICSA-13-053-02	Trust: 3.0
db:	CNVD	id:	CNVD-2013-01315	Trust: 0.8
db:	CNNVD	id:	CNNVD-201302-554	Trust: 0.8
db:	JVNDB	id:	JVNDB-2013-001676	Trust: 0.8
db:	SECUNIA	id:	52389	Trust: 0.6
db:	BID	id:	58134	Trust: 0.3
db:	IVD	id:	128C213C-2353-11E6-ABEF-000C29C66E3D	Trust: 0.2

sources: IVD: 128c213c-2353-11e6-abef-000c29c66e3d // CNVD: CNVD-2013-01315 // BID: 58134 // JVNDB: JVNDB-2013-001676 // CNNVD: CNNVD-201302-554 // NVD: CVE-2013-0108

REFERENCES

url:	http://ics-cert.us-cert.gov/pdf/icsa-13-053-02.pdf	Trust: 2.4
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2013-0108	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2013-0108	Trust: 0.8
url:	http://ics-cert.us-cert.gov/pdf/icsa-13-053-02.pdfhttp	Trust: 0.6
url:	http://secunia.com/advisories/52389	Trust: 0.6
url:	http://www.security.honeywell.com/	Trust: 0.3

sources: CNVD: CNVD-2013-01315 // BID: 58134 // JVNDB: JVNDB-2013-001676 // CNNVD: CNNVD-201302-554 // NVD: CVE-2013-0108

CREDITS

Juan Vazquez of Rapid7

Trust: 0.3

sources: BID: 58134

SOURCES

db:	IVD	id:	128c213c-2353-11e6-abef-000c29c66e3d
db:	CNVD	id:	CNVD-2013-01315
db:	BID	id:	58134
db:	JVNDB	id:	JVNDB-2013-001676
db:	CNNVD	id:	CNNVD-201302-554
db:	NVD	id:	CVE-2013-0108

LAST UPDATE DATE

2025-04-11T22:49:02.721000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2013-01315	date:	2013-05-26T00:00:00
db:	BID	id:	58134	date:	2013-04-10T14:08:00
db:	JVNDB	id:	JVNDB-2013-001676	date:	2013-02-27T00:00:00
db:	CNNVD	id:	CNNVD-201302-554	date:	2013-02-26T00:00:00
db:	NVD	id:	CVE-2013-0108	date:	2025-04-11T00:51:21.963

SOURCES RELEASE DATE

db:	IVD	id:	128c213c-2353-11e6-abef-000c29c66e3d	date:	2013-02-28T00:00:00
db:	CNVD	id:	CNVD-2013-01315	date:	2013-02-28T00:00:00
db:	BID	id:	58134	date:	2013-02-22T00:00:00
db:	JVNDB	id:	JVNDB-2013-001676	date:	2013-02-27T00:00:00
db:	CNNVD	id:	CNNVD-201302-554	date:	2013-02-26T00:00:00
db:	NVD	id:	CVE-2013-0108	date:	2013-02-24T11:48:21.407