← Back to home
ICSA-22-207-02  ·  Published 2022-07-26  ·  View on CISA ICS-CERT ↗

Honeywell Safety Manager

CVSS 7.5 HIGH

Risk Summary

Successful exploitation of these vulnerabilities could allow for configuration and firmware manipulation or remote code execution.

CVEs (4)

Remediations

  • Honeywell has identified the following specific workarounds and mitigations users can apply to reduce risk:
  • (CVE-2022-30315) Safety Manager and FSC use a key switch control to prevent users from downloading unauthorized safety logic. When the key switch is in the locked state, users cannot download any logic whatsoever.
  • (CVE-2022-30315) Safety builder should reside on a station with restrictive access controls. Network controls should be in place to limit the nodes permitted to communicate the builder protocol to the safety manager.
  • (CVE-2022-30315) Users are advised to follow the Safety Manager release documentation.
  • (CVE-2022-30313) Safety Manager and FSC use a key switch control to prevent users from downloading unauthorized safety logic. When the key switch is in the locked state, users cannot download any logic whatsoever.
  • (CVE-2022-30313) Safety builder should reside on a station with restrictive access controls. Network controls should be in place to limit the nodes permitted to communicate the builder protocol to the safety manager.
  • (CVE-2022-30313) Users are advised to follow the Safety Manager release documentation.
  • (CVE-2022-30314) Safety Manager R160.1 and later releases include a remediation for this item. R160.1 was introduced in October 2014. Users are advised to operate on the latest release and point release.
  • (CVE-2022-30314) Customers should isolate process control networks following our security best practices.
  • (CVE-2022-30314) Users are advised to follow the Safety Manager Release documentation. See the section 'Security Recommendations and Best Practices'.
  • (CVE-2022-30316) The Safety Manager key switch prevents unauthorized firmware from being installed. Users are advised to monitor the key switch position.
  • (CVE-2022-30316) Users are advised to follow the Safety Manager Release documentation. See the section 'Security Recommendations and Best Practices'.

Affected Vendors

Honeywell

Affected Products (2)

Honeywell · Safety Manager <R160.1
Honeywell · Safety Manager vers:all/*

Affected Sectors

Multiple

Get alerted to advisories like this

OTWarden monitors CISA, BSI, Siemens, Rockwell and more — and emails you within 2 hours when your vendors are affected.

Start free trial Learn more