Executive Summary

The vulnerability affects the Honeywell IQ4x building management controller, which in its factory-default configuration exposes its full web-based Human Machine Interface (HMI) without requiring any authentication.

If no user module is configured, the system disables security by design and operates under a System Guest (level 100) context, granting read/write privileges to anyone who can access the HTTP interface.

Authentication controls only activate after a web user is created via a specific interface (U.htm), which dynamically enables the user module.

However, this user creation function is accessible without authentication, allowing a remote attacker to create a new administrative account with full read/write permissions.

This enables the attacker to enable the user module under attacker-controlled credentials and potentially lock out legitimate operators from both local and web-based configuration and administration.

Useful 0 Not Useful 0

Impact Analysis

Successful exploitation of this vulnerability can allow unauthorized access to controller management settings and control of components within the building management system.

An attacker could disclose sensitive information or cause denial-of-service conditions by locking out legitimate operators from configuration and administration.

Because the vulnerability grants full read/write privileges without authentication, it poses a critical risk to the confidentiality, integrity, and availability of the system.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': "This vulnerability can be detected by checking if the Honeywell IQ4x building management controller's web-based HMI is accessible without authentication on the network. Specifically, if the HTTP interface is reachable and allows access without requiring user credentials, the system is likely vulnerable."}, {'type': 'paragraph', 'content': "One way to detect this is to attempt to access the U.htm page on the device's web interface, which is used to create a new administrative user without authentication. If this page is accessible and allows user creation without login, the vulnerability is present."}, {'type': 'paragraph', 'content': 'Suggested commands to detect this include using tools like curl or wget to request the U.htm page and observe the response. For example:'}, {'type': 'list_item', 'content': 'curl -I http://<device-ip>/U.htm'}, {'type': 'list_item', 'content': 'curl http://<device-ip>/U.htm'}, {'type': 'paragraph', 'content': 'If these commands return the page without requiring authentication, it indicates the device is vulnerable.'}] [2]

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include minimizing network exposure of the affected Honeywell IQ4x controllers by isolating them behind firewalls and restricting access to trusted networks only.

Use secure remote access methods such as VPNs to connect to the control system network, ensuring these VPNs are kept up to date and properly configured.

Perform impact analysis and risk assessments before deploying any mitigation to understand potential effects on operations.

Follow best practices for industrial control system cybersecurity, including protecting against social engineering attacks by avoiding unsolicited email links or attachments.

Since Honeywell has not released a fix yet, users are advised to contact Honeywell directly for further guidance and updates.

Useful 0 Not Useful 0