AutomationDirect DirectLOGIC with Serial Communication
Monitor7.7ICS-CERT ICSA-22-167-02Jun 16, 2022
Attack VectorLocal
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
AutomationDirect DirectLOGIC PLCs transmit passwords in cleartext over serial communication without encryption. A specially crafted message can cause affected firmware versions to respond with the plaintext password. This affects D0-06, D0-05, D2, D3, D4, and F1-130 series controllers. The vulnerability allows an attacker with local or serial access to extract credentials that can be used for unauthorized access and configuration changes.
What this means
What could happen
An attacker with access to the serial communication line could extract the plaintext password for a DirectLOGIC PLC and gain unauthorized access to modify ladder logic programs, change process setpoints, or alter safety interlocks. This could disrupt operations or cause unsafe conditions in critical processes.
Who's at risk
Water utilities and municipal electric utilities using AutomationDirect DirectLOGIC PLC controllers for process control (SCADA, HMI, PLC programming). Specifically affects D0-06, D0-05, D2 series (D2-250, D2-260, D2-262), D3-350, D4 series (D4-430 through D4-454), and DL105 (F1-130xx) controllers used in pump control, treatment processes, generation/distribution, and other critical process automation.
How it could be exploited
An attacker with physical or serial port access to a DirectLOGIC PLC sends a specially crafted message over the serial communication interface. The vulnerable firmware responds with the plaintext password, which the attacker can then use to authenticate and modify the PLC program or configuration via an engineering workstation connection.
Prerequisites
- Physical or serial port access to the affected PLC
- Knowledge of the special message format to trigger password disclosure
- An engineering workstation or serial terminal to send the crafted message
- Vulnerable firmware version running on the PLC
No authentication required to trigger password disclosureCleartext password transmission over serialLow complexity exploitationMany affected products are end-of-life with no patches availableAffects process control and safety-critical systems
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (36)
36 pending
ProductAffected VersionsFix Status
D0-06DD1-D: prior to v2.72< 2.72No fix yet
D0-06AA: prior to v2.72< 2.72No fix yet
D0-06AR: prior to v2.72< 2.72No fix yet
D0-06DA: prior to v2.72< 2.72No fix yet
D0-06DD1: prior to v2.72< 2.72No fix yet
Remediation & Mitigation
0/12
Do now
0/1HARDENINGSecure physical access to all PLC equipment to prevent unauthorized serial cable attachment
Schedule — requires maintenance window
0/6Patching may require device reboot — plan for process interruption
HOTFIXUpdate D0-06 series CPUs (D0-06DD1-D, D0-06AA, D0-06AR, D0-06DA, D0-06DD1, D0-06DD2, D0-06DD2-D, D0-06DR, D0-06DR-D) to firmware version 2.72 or later
HOTFIXUpdate D0-05 series CPUs (D0-05DD, D0-05DR, D0-05DA, D0-05AR, D0-05AA, D0-05AD, D0-05DD-D, D0-05DR-D) to firmware version 5.41 or later
HOTFIXUpdate D2-250-1 to firmware version 4.91 or later
HOTFIXUpdate D2-260 to firmware version 2.71 or later
HOTFIXUpdate D2-262 to firmware version 1.06 or later
HOTFIXUpdate D4-454 to firmware version 1.04 or later
Long-term hardening
0/5HOTFIXReplace obsolete D2-230, D2-240, D2-250 units with newer PLC families (D2-262, CLICK, Do-more/BRX, or Productivity Series)
HOTFIXReplace obsolete D3-350 units with newer PLC families (D2-262, CLICK, Do-more/BRX, or Productivity Series)
HOTFIXReplace obsolete D4-430, D4-440, D4-450 units with newer models (D4-454, CLICK, Do-more/BRX, or Productivity Series)
HOTFIXReplace obsolete DL105 (F1-130xx) CPUs with newer PLC families (CLICK, Do-more/BRX, or Productivity Series)
HARDENINGIsolate and air-gap PLC networks from corporate networks when operationally feasible
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/499e454e-0cfe-409c-9c44-9bcbd9651d75