SCADA Vulnerabilities & Exposures (SVE)

CRITIFENCE® SCADA Vulnerabilities and Exposures Database (SVE)

[SVE-587119737] AutomationDirect CLICK, C-More, C-More Micro, GS Drives, and SL-Soft SOLO

Date Type Platform Author EDB-ID CVE-ID OSVDB-ID Download App SIS Signature
2017-11-09OtherAutomationDirectMark Cross of RIoT Solutions reported the vulnerability to ICS-CERT. N/ACVE-2017-1402 N/AN/AN/A

Source

						
							
								
#
# AutomationDirect CLICK, C-More, C-More Micro, GS Drives, and SL-Soft SOLO
#


### VULNERABLE VENDOR
AutomationDirect


### VULNERABLE PRODUCT
CLICK, C-More, C-More Micro, GS Drives, SL-Soft SOLO.



### RESEARCHER
Mark Cross of RIoT Solutions reported the vulnerability to ICS-CERT.



### AFFECTED PRODUCTS

The following AutomationDirect products are affected:

CLICK Programming Software (Part Number C0-PGMSW) versions 2.10 and prior,
C-More Programming Software (Part Number EA9-PGMSW)  versions 6.30 and prior,
C-More Micro (Part Number EA-PGMSW) versions  4.20.01.0 and prior,
GS Drives Configuration Software (Part Number GSOFT) versions 4.0.6 and prior, and
SL-SOFT SOLO Temperature Controller Configuration Software (Part Number SL-SOFT) versions 1.1.0.5 and prior.



### IMPACT

Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the system.



### VULNERABILITY OVERVIEW

UNCONTROLLED SEARCH PATH ELEMENT CWE-427
An uncontrolled search path element (DLL Hijacking) vulnerability has been identified.
To exploit this vulnerability, an attacker could rename a malicious DLL to meet the criteria of the application, and the application would not verify that the DLL is correct.
The attacker needs to have administrative access to the default install location in order to plant the malicious DLL.
Once loaded by the application, the DLL could run malicious code at the privilege level of the application.
CVE-2017-14020 has been assigned to this vulnerability.
A CVSS v3 base score of 6.7 has been assigned; the CVSS vector string is (AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H)





### BACKGROUND

Critical Infrastructure Sectors: Commercial Facilities, Critical Manufacturing, Information Technology
Countries/Areas Deployed: Worldwide
Company Headquarters Location: Georgia, United States




### MITIGATION

AutomationDirect has produced fixes for the following software:

CLICK Programming Software: Version 2.11 available at:  http://support.automationdirect.com/products/clickplcs.html


C-more Programming Software: Version 6.32  available at:  http://support.automationdirect.com/products/cmore.html


C-more Micro Programming Software:  Version 4.21 available at:  http://support.automationdirect.com/products/cmoremicro.html


GS Drives: Version 4.0.7 available at:  http://support.automationdirect.com/products/gsoft.html


SL-Soft SOLO Configuration software: Version 1.1.0.6  available at: http://support.automationdirect.com/products/solo.html