AutomationDirect CLICK, C-More, C-More Micro, Do-more Designer, GS Drives, SL-Soft SOLO, DirectSOFT (Update B)
Monitor6.7ICS-CERT ICSA-17-313-01Nov 9, 2017
Attack VectorLocal
Auth RequiredLow
ComplexityHigh
User InteractionRequired
Summary
A code execution vulnerability exists in multiple AutomationDirect programming and configuration software products. The vulnerability requires local access to an engineering workstation and user interaction (such as opening a malicious file). Successful exploitation allows an attacker to execute arbitrary code with the privileges of the user running the software. This could allow modification of PLC logic, controller settings, or device firmware before changes are uploaded to field equipment. Affected products include CLICK Programming Software, C-More and C-More Micro Programming Software, Do-more Designer, DirectSOFT, GS Drives Configuration Software, and SL-Soft SOLO Configuration Software.
What this means
What could happen
An attacker could execute arbitrary code on an engineering workstation running these AutomationDirect programming tools, potentially modifying PLC/controller logic, configuration, or firmware to alter industrial processes.
Who's at risk
Water authorities and municipal utilities using AutomationDirect CLICK, C-More, Do-more, GS Drives, DirectSOFT, or SL-Soft SOLO programming software on engineering workstations. This affects anyone who configures or maintains PLCs, drives, temperature controllers, and field devices using these desktop applications.
How it could be exploited
An attacker with local access to an engineering workstation must trick a user into opening a malicious file or performing a specific action (social engineering or user interaction required). Once executed, the attacker gains code execution on the workstation, from which they could modify control logic or device configurations before uploading changes to PLCs and field devices.
Prerequisites
- Local access to an engineering workstation or shared folder
- Valid user account with ability to run the affected software
- User interaction required (opening a malicious file or performing an action)
- Attacker must have a way to deliver the malicious payload to the workstation (social engineering, compromised network share, email attachment)
Affects programming and configuration softwareRequires user interactionRequires local accessDefault-secure (no default credentials involved)Medium CVSS score (6.7)
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (7)
6 with fix1 pending
ProductAffected VersionsFix Status
C-More Micro (Part Number EA-PGMSW):≤ 4.20.01.0No fix yet
CLICK Programming Software (Part Number C0-PGMSW):≤ 2.102.11
Do-more Designer Software (Part Number DM-PGMSW):≤ 2.0.32.2.1
GS Drives Configuration Software (Part Number GSOFT):≤ 4.0.64.0.7
SL-SOFT SOLO Temperature Controller Configuration Software (Part Number SL-SOFT):≤ 1.1.0.51.1.0.6
DirectSOFT Programming Software:≤ 6.16.2
C-More Programming Software (Part Number EA9-PGMSW:≤ 6.306.32
Remediation & Mitigation
0/11
Do now
0/2WORKAROUNDRestrict file-sharing permissions on engineering workstations to prevent unauthorized file drops
HARDENINGTrain users not to open unsolicited files or email attachments from unknown sources
Schedule — requires maintenance window
0/7Patching may require device reboot — plan for process interruption
HOTFIXUpdate CLICK Programming Software to version 2.11 or later
HOTFIXUpdate C-More Programming Software to version 6.32 or later
HOTFIXUpdate C-More Micro Programming Software to version 4.21 or later
HOTFIXUpdate Do-more Designer Software to version 2.2.1 or later
HOTFIXUpdate GS Drives Configuration Software to version 4.0.7 or later
HOTFIXUpdate SL-Soft SOLO Configuration Software to version 1.1.0.6 or later
HOTFIXUpdate DirectSOFT to version 6.2 or later
Long-term hardening
0/2HARDENINGIsolate engineering workstations from the business network using a firewall or air-gapping when not actively communicating with PLCs
HARDENINGImplement application whitelisting on engineering workstations to restrict execution of unauthorized binaries
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/5643dff6-09a9-4410-83be-e91fd08f6f83