Alerton, a subsidiary of Honeywell, is a major manufacturer of building management systems for heating, ventilation, and air conditioning (HVAC). SCADAfence’s research team discovered vulnerabilities that lead to NIST issuing the first CVEs ever assigned to Alerton products. Left without proper security measures, these vulnerabilities could lead to major disruptions in any facility where they are deployed.
This is a technical report on how our research team discovered these vulnerabilities.
Alerton Ascent Suite
Alerton Ascent is a suite of controllers, devices, and software used for building management specifically in regard to HVAC. The Ascent product suite is deployed in buildings, server rooms, chemical labs, hospitals and more, with the purpose of maintaining the appropriate air flow and safe temperature required for a room’s or space’s specific need.
The Alerton Suite is made up of many different components. For example, in the research we conducted the Alerton Ascent network comprised:
- Alerton Ascent Control Module (ACM) – Main controller
- VLC-853 - Field controller
- Alerton Compass – Management and Control Tool
- Visual Logic - Programming Tool
As seen in the topology map, an ACM is connected to a VLC-853 device over a serial port. The Compass software and Visual Logic software have access to the ACM over ethernet via a network switch.
Any user, innocent or malicious, can access the various Alerton devices and software either locally or remotely via the network switch, assuming that there are no extra security tools providing network protection (such as an FW or switch port security).
The resulting effect of a malicious user gaining access to the Ascent Suite can result in a degradation of credibility, integrity, and availability of the BMS as a whole.
Configuration Change for Alerton ACM
The Compass software provides the ability to configure the ACM. This configuration includes setting IP values, enabling or disabling specific ports, defining which networking protocols are active and more. In general, the configuration is set when the system is installed and is rarely changed thereafter.
The Attack - CVE-2022-30242 and CVE-2022-30245
Two of the CVEs that were disclosed, CVE-2022-30242 (cvss 3.x score of 6.8) and CVE-2022-30245 (cvss 3.x score of 6.5), are vulnerabilities discovered which allow for configuration changes to be made outside of the Compass Software without any authorization or authentication. In addition, the configuration changes that were performed are relayed to the Compass Software, leaving the system operator unaware that a change to the configuration occurred.
The following is a Wireshark partial capture showing how the configuration data is sent over the network from the Compass Software to the ACM:
As seen in the traffic snippet above from Wireshark, the configuration is sent to the ACM in ASCII characters and in cleartext with no obfuscation and minor difficulty in understanding or changing the configuration data.
By extracting the whole configuration from the network traffic, and setting the MSTP0 ENABLE field to N, we can simply disable the COM0 port from any computer with access to the ACM.
As a result of sending a specially crafted packet with the above change, the configuration of the ACM changed, and COM0 was set to disabled, disconnecting the VLC-853 controller from the ACM:
While successful changes in the configuration occurred, the Device Configuration window still indicates to the operator that COM0 is enabled:
In a real life scenario, this can have significant and/or tragic effects.
Having this vulnerability leveraged in a real life setting can cause connectivity issues or undefined behavior of the entire network. In the example above, COM0 was disabled, which resulted in the VLC-853 to be cut out of the network.
If the VLC-853 was responsible for ensuring that a cloud storage server room was properly cooled, operators who notice that VLC-853 is not communicating with the ACM and also are unaware that a configuration change occurred, may be compelled to shutdown the server farm out of fear of the servers overheating causing major disruptions for numerous services worldwide.
This is obviously a single example for a single change in configuration. Any number of other changes can have similar, troubling effects.
Programming Changes for Alerton Controllers
Programming management for Alerton Controllers is done using an Alerton proprietary plug-in for Microsoft Visio called Visual Logic. Programs written in using Visual Logic use diagrams to display the program in a visual manner as seen below:
Programs are written, pushed to controllers and run by engineers whose task it is to define the programmatic logic of the controller necessary for it to perform its specific role in the network.
Programs are written and edited on an as-needed basis and are not accessed frequently so long as the target device is fulfilling its intended purpose.
The Attack - CVE-2022-30243 and CVE-2022-30244
In our research, we successfully wrote a program to an Alerton ACM device without authorization or authentication. In addition, the Visual Logic software did not provide an indication that a programming change occurred or that there is a difference in the program saved in the engineering software to that actually running on the ACM. This leaves an operator clueless as to why a controller has malfunctioned, changed its activity or stopped processing altogether.
This resulted in the disclosure of two CVEs, CVE-2022-30243 (cvss 3.x score of 8.8) and CVE-2022-30244 (cvss 3.x score of 8.0)
The packet sequence for writing a program to the ACM is a set sequence of Bacnet commands and is listed, in order as follows:
With the exclusion of ADD_CODE_BLOCK_PACKET, all of the commands above are static, constant BACnet packets with a dynamic parameter of invoke ID. Being a BACnet system, there are no authorization checks to ensure that the commands being sent are from a reliable and authorized source.
An attacker who has network access to any of the Alerton controllers can send a maliciously crafted program, using the above sequence of commands, to change a program on the target controller. This is done without the knowledge of an operator, as there is no indication of a program change in the Compass software or the Visual Logic Programming Visio plug-in.
The following image is a diagram of the program that we pushed to the controller in the previous section; however, an additional component was added and pushed to the controller from a third-party computer with no access to the Visual Logic software:
The only indication that a programming change occurred is by clicking the Read from Device button as seen in the image below, and comparing the downloaded program to that which is stored on the engineering station:
As with the configuration change vulnerabilities, if these vulnerabilities are leveraged on an Alerton controller in a real-life, production network the effects can be catastrophic.
If a controller is managing the air flow in a chemical lab, and a program is written to the controller that essentially renders it useless for its current purpose (either by sending a stub program, or sending a program that does not fulfill the air flow requirement), anyone in the lab could potentially be in life threatening situation.
The potential scenarios that can occur by taking advantage of these vulnerabilities are endless, and can be very serious and even lethal.
Full details on the CVEs can be found on the official NIST website:
In response to SCADAfence's findings, Honeywell issued a Product Security Bulletin informing Alerton ACM Controller users of the vulnerabilities.