RIOT Solutions Security Consultant Mark Cross discovers vulnerabilities in a number of AutomationDirect’s industrial control products.
In late July 2017, Mark discovered vulnerabilities in a number of AutomationDirect’s industrial control products, particularly around the programming and interaction software. These vulnerabilities can be exploited by placing a crafted DLL file in the software search path which is loaded prior to a valid DLL, allowing an attacker to hijack the DLL and execute arbitrary code on the targeted system.
He stopped testing the applications after successfully being able to exploit seven separate products in a row. The below information outlines the coordinated disclosure details for five out of the seven software applications he found vulnerabilities in. He is sure the other two, and potentially more will be disclosed in due course.
The following AutomationDirect products are affected:
CLICK Programming Software (Part Number C0-PGMSW) versions 2.10 and prior
C-More Programming Software (Part Number EA9-PGMSW) versions 6.30 and prior
C-More Micro (Part Number EA-PGMSW) versions 4.20.01.0 and prior
GS Drives Configuration Software (Part Number GSOFT) versions 4.0.6 and prior
SL-SOFT SOLO Temperature Controller Configuration Software (Part Number SL-SOFT) versions 22.214.171.124 and prior
Coordinated disclosure regarding the identified vulnerability was undertaken with AutomationDirect and The US Department of Homeland Security’s ICS-CERT. ICS-CERT have published the findings under Advisory ICSA-17-313-01, and allocated CVE-ID CVE-2017-14020.
More can be found on Marks Blog at https://www.mogozobo.com/?p=3432