OTPulse
FeedAboutContact

Solar Controls Heating Control Downloader (HCDownloader)

Monitor7.8ICS-CERT ICSA-17-222-02Aug 10, 2017
Attack VectorLocal
Auth RequiredNone
ComplexityLow
User InteractionRequired
Summary

HCDownloader is vulnerable to an untrusted search path or uncontrolled search path element vulnerability (CWE-427). This allows a local attacker with user-level access to execute arbitrary code on a system running the software by placing a malicious file in a location where the application searches for libraries or dependencies during startup or operation.

What this means
What could happen
An attacker with physical or local network access to a workstation running HCDownloader could execute arbitrary code with the privileges of the logged-in user, potentially allowing them to modify heating control configurations, disrupt heating system operations, or gain further access to the plant network.
Who's at risk
Organizations using Solar Controls HCDownloader for heating system configuration and management should be concerned. This includes facility managers, HVAC technicians, and engineering staff at utilities, commercial buildings, and industrial plants that rely on HCDownloader for heating control programming and downloads.
How it could be exploited
An attacker places a malicious file (DLL, library, or script) in a directory that HCDownloader searches during startup or when loading dependencies—such as the application directory, a shared temp folder, or the system path. When HCDownloader runs, it loads and executes the attacker's malicious file instead of the legitimate one, giving the attacker code execution in the context of the user running the application.
Prerequisites
  • Local or physical access to the workstation running HCDownloader
  • Ability to write files to a directory in the application's search path (application directory, temp folder, or system PATH)
  • User must launch HCDownloader or the vulnerable process must execute
Low complexity exploitationNo patch availableLocal/physical access requiredUser interaction required
Exploitability
Low exploit probability (EPSS 0.2%)
Affected products (1)
ProductAffected VersionsFix Status
HCDownloader:≤ 1.0.1.15No fix (EOL)
Remediation & Mitigation
0/4
Do now
0/1
HARDENINGRestrict physical and local network access to workstations running HCDownloader. Only authorized engineering and maintenance staff should have access to these systems.
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

WORKAROUNDMonitor for and promptly remove HCDownloader from systems where it is no longer needed. Document all systems where it remains in use.
Mitigations - no patch available
0/2
HCDownloader: has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:
HARDENINGIsolate HCDownloader workstations from the general corporate network using a dedicated engineering network or air-gap. Restrict writes to shared folders and temp directories on these systems.
HARDENINGContact Solar Controls to request notification of any future patches or workarounds. Evaluate alternative heating control download tools if Solar Controls remains unresponsive to security coordination.
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/c0ff224a-ddee-47cf-92a7-2172404fc6cc