cbcvebase.
CVE-2013-0108
published 2013-02-24

CVE-2013-0108: An ActiveX control in HscRemoteDeploy.dll in Honeywell Enterprise Buildings Integrator (EBI) R310, R400.2, R410.1, and R410.2; SymmetrE R310, R410.1, and…

PriorityP352medium6.8CVSS 2.0
AVNACMAuNCPIPAP
EXPLOIT
EPSS
26.64%
97.8th percentile
An ActiveX control in HscRemoteDeploy.dll in Honeywell Enterprise Buildings Integrator (EBI) R310, R400.2, R410.1, and R410.2; SymmetrE R310, R410.1, and R410.2; ComfortPoint Open Manager (aka CPO-M) Station R100; and HMIWeb Browser client packages allows remote attackers to execute arbitrary code via a crafted HTML document.

Affected

8 ranges
VendorProductVersion rangeFixed in
honeywellcomfortpoint_open_manager_station
honeywellenterprise_buildings_integrator
honeywellenterprise_buildings_integrator
honeywellenterprise_buildings_integrator
honeywellenterprise_buildings_integrator
honeywellsymmetre
honeywellsymmetre
honeywellsymmetre

Detection & IOCsextracted from sources · hover to see the quote

filenameHscRemoteDeploy.dll
path/SystemDisplays/RemoteInstallWelcome.hta
commandRemoteInstaller.LaunchInstaller()
otherapplication/hta
  • Detect ActiveX instantiation of HscRemoteDeploy.dll's LaunchInstaller() method being called from a browser context, particularly with a remote URI argument pointing to an .hta file.
  • Monitor HTTP responses serving content with Content-Type 'application/hta', especially when preceded by a request to a path matching /SystemDisplays/RemoteInstallWelcome.hta — a pattern used by the Metasploit exploit module.
  • Alert on MSIE User-Agent strings in requests for .hta resources; the exploit module explicitly rejects non-MSIE browsers, so MSIE UA + .hta fetch is a strong signal.
  • ·The exploit only works against Internet Explorer; non-MSIE browsers are explicitly rejected by the Metasploit module, limiting the attack surface to IE-based clients.
  • ·Social engineering is required; the attacker must convince the user to visit a malicious site or click a link, reducing the likelihood of successful exploitation.
  • ·HscRemoteDeploy.dll is not used for runtime functions and can be disabled without impacting operations; it is only needed for initial HMIWeb Browser client installation/upgrade.
  • ·A Microsoft kill bit was requested for HscRemoteDeploy.dll; systems using Windows Update may have the DLL automatically disabled via a Microsoft Patch Tuesday security update.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.