AutomationDirect Stride Field I/O

Plan Patch9.6ICS-CERT ICSA-22-202-05Jul 21, 2022

Attack VectorAdjacent

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

AutomationDirect Stride Modbus Field I/O modules contain an unencrypted credential storage vulnerability (CWE-319) that allows an attacker with network access to extract user credentials. Affected firmware versions include SIO-MB04ADS (<8.4.3.0), SIO-MB04DAS (<8.11.3.0), SIO-MB04RTDS (<8.3.4.0), SIO-MB04THMS (<8.5.4.0), SIO-MB08ADS-1 (<8.6.3.0), SIO-MB08ADS-2 (<8.7.3.0), SIO-MB08THMS (<8.8.4.0), SIO-MB12CDR (<8.0.4.0), SIO-MB16CDD2 (<8.1.4.0), and SIO-MB16ND3 (<8.2.4.00). Certain hardware batches (B/N 5714442222 for SIO-MB04ADS and SIO-MB12CDR, and B/N 57141862221 for SIO-MB04THMS) cannot be patched and require RMA replacement. Compromised credentials could enable an attacker to gain unauthorized access to the broader automation control system and modify process parameters or disable critical functions.

What this means

What could happen

An attacker with access to the network could extract user credentials stored on these Stride Modbus Field I/O units, potentially compromising access to the broader automation control system and allowing unauthorized changes to process settings or operational parameters.

Who's at risk

Water authorities, municipal electric utilities, and other critical infrastructure operators using AutomationDirect Stride Modbus Field I/O modules (SIO-MB series) for remote input/output control. These modules are commonly used in SCADA and PLC-based automation systems to acquire sensor data and control field devices such as pumps, valves, and motors.

How it could be exploited

An attacker with network access to a Stride Field I/O module could exploit the credential storage vulnerability to read plaintext or weakly protected credentials. These credentials could then be used to access other devices on the automation network, such as PLCs or HMIs, to alter control logic or process setpoints.

Prerequisites

Network access to the Stride Field I/O module (local network or adjacent segment, given CVSS vector AV:A)
No authentication or special credentials required to trigger the vulnerability
Module must be running affected firmware version

Remotely exploitable from adjacent network segmentNo authentication requiredLow attack complexityAffects multiple Field I/O module variantsNo patch available for some hardware batches (requires RMA replacement)Could lead to credential compromise and lateral movement in control system

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (14)

13 with fix1 pending

ProductAffected VersionsFix Status

SIO- MB04ADS: firmware< 8.4.3.0No fix yet

SIO-MB04DAS: firmware< 8.11.3.08.11.3.0

SIO-MB04RTDS: firmware< 8.3.4.08.3.4.0

SIO-MB04THMS: firmware< 8.5.4.08.5.4.0

SIO-MB04THMS: B/N 57141862221571418622218.5.4.0

SIO-MB08ADS-1: firmware< 8.6.3.08.6.3.0

SIO-MB08ADS-2: firmware< 8.7.3.08.7.3.0

SIO-MB08THMS: firmware< 8.8.4.08.8.4.0

Remediation & Mitigation

0/14

Do now

0/2

HARDENINGRestrict network access to Stride Field I/O modules using firewalls and network segmentation; isolate automation networks from untrusted segments

WORKAROUNDImplement physical access controls to prevent unauthorized connections to Field I/O modules

Schedule — requires maintenance window

0/11

Patching may require device reboot — plan for process interruption

Long-term hardening

0/1

HARDENINGReview and follow AutomationDirect Security Considerations document and product advisory PA-COM-006

CVEs (1)

CVE-2022-2485

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close