|2017-11-09||Other||AutomationDirect||Mark Cross of RIoT Solutions reported the vulnerability to ICS-CERT.
# AutomationDirect CLICK, C-More, C-More Micro, GS Drives, and SL-Soft SOLO
### VULNERABLE VENDOR
### VULNERABLE PRODUCT
CLICK, C-More, C-More Micro, GS Drives, SL-Soft SOLO.
Mark Cross of RIoT Solutions reported the vulnerability to ICS-CERT.
### AFFECTED PRODUCTS
The following AutomationDirect products are affected:
CLICK Programming Software (Part Number C0-PGMSW) versions 2.10 and prior,
C-More Programming Software (Part Number EA9-PGMSW) versions 6.30 and prior,
C-More Micro (Part Number EA-PGMSW) versions 4.20.01.0 and prior,
GS Drives Configuration Software (Part Number GSOFT) versions 4.0.6 and prior, and
SL-SOFT SOLO Temperature Controller Configuration Software (Part Number SL-SOFT) versions 18.104.22.168 and prior.
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the system.
### VULNERABILITY OVERVIEW
UNCONTROLLED SEARCH PATH ELEMENT CWE-427
An uncontrolled search path element (DLL Hijacking) vulnerability has been identified.
To exploit this vulnerability, an attacker could rename a malicious DLL to meet the criteria of the application, and the application would not verify that the DLL is correct.
The attacker needs to have administrative access to the default install location in order to plant the malicious DLL.
Once loaded by the application, the DLL could run malicious code at the privilege level of the application.
CVE-2017-14020 has been assigned to this vulnerability.
A CVSS v3 base score of 6.7 has been assigned; the CVSS vector string is (AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H)
Critical Infrastructure Sectors: Commercial Facilities, Critical Manufacturing, Information Technology
Countries/Areas Deployed: Worldwide
Company Headquarters Location: Georgia, United States
AutomationDirect has produced fixes for the following software:
CLICK Programming Software: Version 2.11 available at: http://support.automationdirect.com/products/clickplcs.html
C-more Programming Software: Version 6.32 available at: http://support.automationdirect.com/products/cmore.html
C-more Micro Programming Software: Version 4.21 available at: http://support.automationdirect.com/products/cmoremicro.html
GS Drives: Version 4.0.7 available at: http://support.automationdirect.com/products/gsoft.html
SL-Soft SOLO Configuration software: Version 22.214.171.124 available at: http://support.automationdirect.com/products/solo.html