Honeywell OneWireless Device Manager Vulnerability - 20230317001

Overview

Successful exploitation of these vulnerabilities could disclose sensitive information, allow privilege escalation, or allow remote code execution.

What is the vulnerability?

Command Injection, Use of Insufficiently Random Values, Missing Authentication for Critical Function

What is vulnerable?

Honeywell reports these vulnerabilities affect the following versions of OneWireless WDM:

• All versions up to R322.1

CVEs:

• CVE-2022-46361
• CVE-2022-43485
• CVE-2022-4240

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. https://www.cisa.gov/news-events/ics-advisories/icsa-23-075-06

CWEs:

• CWW-77:Command Injection https://cwe.mitre.org/data/definitions/77.html https://cwe.mitre.org/data/definitions/306.html
  • CWE-330: Use of Insufficiently Random Values https://cwe.mitre.org/data/definitions/330.html
  • CWE-306: Missing Authentication for Critical Function https://cwe.mitre.org/data/definitions/306.html

Recommendation

• The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices: Honeywell recommends users upgrade OneWireless WDM to release R322.2 Honeywell Website

Additional References

• Honeywell OneWireless Wireless Device Manager Honeywell OneWireless Wireless Device Manager