AutomationDirect DirectLOGIC with Ethernet

Monitor7.5ICS-CERT ICSA-22-167-03Jun 16, 2022

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

AutomationDirect DirectLOGIC Ethernet modules contain two vulnerabilities: (1) CVE-2022-2003 allows remote attackers to extract the Ethernet module password via a specially crafted message without authentication, and (2) CVE-2022-2004 allows denial-of-service. The password vulnerability could enable unauthorized reconfiguration of the PLC logic or process parameters. Affected models include D0-06 series, DL05 series, D2-240/250/250-1/260/262, and D4-430/440/450/454. The updated firmware includes a 3-hour password lockout after three failed attempts and will no longer respond with the password to the crafted request.

What this means

What could happen

An attacker on your network could extract the Ethernet module password without authentication, or trigger a denial-of-service condition by sending specially crafted network messages. This could allow unauthorized access to reprogram the PLC or stop its operation.

Who's at risk

Water and electric utilities, wastewater systems, and food/beverage processing plants using AutomationDirect DirectLOGIC PLCs (D0-06 series, D2 series, D4 series, and DL05 series) with Ethernet modules. These are mid-range programmable logic controllers commonly deployed in SCADA systems for process control and monitoring.

How it could be exploited

An attacker with network access to the Ethernet module (port 502 or other DirectLOGIC services) can send a specially crafted message to force the device to reveal its password in response, without needing any credentials. With the password, the attacker could then connect to reprogram the PLC's logic or modify process parameters.

Prerequisites

Network reachability to the Ethernet module on the DirectLOGIC PLC
No authentication or credentials required to trigger the vulnerability

remotely exploitableno authentication requiredlow complexityno patch available for obsolete modelsaffects industrial control systems

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (26)

26 pending

ProductAffected VersionsFix Status

D0-06AA:< 2.72No fix yet

D0-06AR:< 2.72No fix yet

D0-06DA:< 2.72No fix yet

D0-06DD1:< 2.72No fix yet

D0-06DD1-D:< 2.72No fix yet

Remediation & Mitigation

0/10

Do now

0/2

HARDENINGIsolate the automation network from the business network using an air gap or firewall with strict ingress rules—only allow necessary engineering workstation connections

HARDENINGRestrict physical access to the PLC and Ethernet modules; in case of exploitation, attackers may attempt to power-cycle the device to bypass the 3-hour password lockout

Schedule — requires maintenance window

0/6

Patching may require device reboot — plan for process interruption

HOTFIXUpdate D0-06 series CPUs to firmware version 2.72 or later

HOTFIXUpdate DL05 series CPUs to firmware version 5.41 or later

HOTFIXUpdate D2-250-1 to firmware version 4.91 or later

HOTFIXUpdate D2-260 to firmware version 2.71 or later

HOTFIXUpdate D2-262 to firmware version 1.06 or later

HOTFIXUpdate D4-454 to firmware version 1.04 or later

Long-term hardening

0/2

HOTFIXReplace D2-240/250 (obsolete) with newer PLC: D2-262, CLICK, Do-more/BRX, or Productivity Series

HOTFIXReplace D4-430/440/450 (obsolete) with newer PLC: D4-454, CLICK, Do-more/BRX, or Productivity Series

CVEs (2)

CVE-2022-2004 CVE-2022-2003

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close