Some of Honeywell’s MAXPRO video surveillance systems are affected by serious vulnerabilities that can be exploited by hackers to take complete control of the system, a researcher has discovered.

Researcher Joachim Kerschbaumer told SecurityWeek that he reported his findings to Honeywell in September 2019 and the vendor released patches after roughly 2 months, which he says is a fast response time compared to other physical security systems manufacturers he has contacted to report flaws.

The DHS’s Cybersecurity and Infrastructure Security Agency (CISA) published an advisory this week for the vulnerabilities found by Kerschbaumer. CISA learned about the security holes from Honeywell, and Kerschbaumer says the agency’s description of the vulnerabilities is not entirely accurate.

Kerschbaumer identified two vulnerabilities in Honeywell’s MAXPRO video management system (VMS) and network video recorder (NVR) products. Specifically, they impact HNMSWVMS and HNMSWVMSLT VMS products, and XE, SE, PE and MPNVRSWXX NVR products. MAXPRO VMS 560 Build 595 T2-Patch and MAXPRO NVR 5.6 Build 595 T2-Patch address the vulnerabilities. Honeywell has shared information about the vulnerabilities in its SN 2019-10-25 01 security notice.

Vulnerabilities found in Honeywell surveillance systems

One of the weaknesses, CVE-2020-6959, has been described as a deserialization issue that can lead to unauthenticated remote code execution. The second flaw, CVE-2020-6960, is a SQL injection vulnerability that can also be exploited remotely without authentication.

The researcher has provided the following descriptions for the vulnerabilities:

CVE-2020-6959: A default installation of MAXPRO starts a Windows service that hosts a service that uses .NET Remoting for communication. Due to the nature of .NET Remoting and the unsafe hardcoded configuration of this service, an attacker can create custom payloads that use the .NET BinaryFormatter with available open source tools.

As soon as the service receives the payload, it deserializes it no matter whether the data is of the type the service expects. There is no form of authentication or preventative measures in place in order to avoid this. This can be exploited in order to execute arbitrary code with the permissions of the service that executes the payload. In this case the service runs with SYSTEM-level permissions by default.

CVE-2020-6960: A default installation of MAXPRO starts a service called “TrinityService” (which contains a broad range of services necessary for the system). The service was created using Microsoft’s Windows Communication Foundation (WCF) and hosted an endpoint using Microsoft’s proprietary binary SOAP protocol. This service contained a service method that accepted a generic “Request-Object”.

By supplying a specially crafted object, an attacker can provide arbitrary SQL statements as parameter that immediately get executed by the service, resulting in full control over the database. By default the service user is allowed to reconfigure the default installation of Microsoft’s SQL Server, which allows enabling additional (available by default) SQL Server features that allow an attacker to execute code with SYSTEM-level permissions. No authentication is needed to call this method remotely.

Both vulnerabilities can give an attacker complete control over the targeted system with SYSTEM-level privileges. This would allow them, among other things, to access video feeds and change the system’s configuration, Kerschbaumer said.

The CVSS score assigned by CISA to the vulnerabilities puts them in the critical severity category, but Honeywell’s advisory rates them as high severity — CISA says attack complexity (AC) in the CVSS score calculation is low, while Honeywell says it’s high.

Kerschbaumer told SecurityWeek that the vulnerabilities are not particularly difficult to exploit — he has demonstrated exploitation using freely available tools — but in most cases an attack requires network access to the targeted systems, as the ports they use are typically not exposed to the internet.

Kerschbaumer said these vulnerabilities were identified as part of a larger research project into video management systems and access control systems. The project targeted over 40 products and resulted in the discovery of more than 60 vulnerabilities.