AutomationDirect C-More EA9 Programming Software

Plan PatchCVSS 7.8ICS-CERT ICSA-24-340-01Dec 5, 2024

AutomationDirect

Attack path

Attack VectorLocal

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

C-More EA9 Programming Software versions 6.78 and earlier contain a buffer overflow vulnerability (CWE-121) that may allow memory corruption and remote code execution through a specially crafted file or input. The vulnerability affects the programming and configuration tool used to develop HMI applications for industrial control systems. Exploitation requires local or physical access to the engineering workstation; no remote exploitation has been reported.

What this means

What could happen

A memory corruption vulnerability in C-More EA9 programming software could allow an attacker to execute arbitrary code on an engineering workstation, potentially enabling modifications to HMI configurations or PLC programs that control industrial processes.

Who's at risk

Engineering and IT staff at water utilities, municipalities, and manufacturers that use AutomationDirect C-More EA9 HMI programming software to develop and configure industrial control systems. This affects any organization that develops or modifies HMI applications on C-More EA9 workstations.

How it could be exploited

An attacker would need local or physical access to the engineering workstation running C-More EA9 (exploitable via file opening, USB insertion, or local network access). Once the vulnerability is triggered through a specially crafted file or input, the buffer overflow allows code execution with the privileges of the user running the software.

Prerequisites

Local or physical access to the engineering workstation
Ability to trigger the vulnerability by opening a malicious file or placing a crafted input on the system
Engineering workstation must be running C-More EA9 version 6.78 or earlier

Memory corruption/buffer overflowCode execution on engineering workstationRequires local access (not remotely exploitable)Low attack complexityAffects engineering/development environment

Exploitability

Some exploitation risk — EPSS score 1.6%

Affected products (1)

ProductAffected VersionsFix Status

C-More EA9 Programming Software: <=6.78≤ 6.786.79

Remediation & Mitigation

0/6

Do now

0/2

WORKAROUNDDisconnect the engineering workstation from external networks and corporate LAN until the update can be applied

HARDENINGRestrict physical and logical access to the engineering workstation to authorized personnel only

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate C-More EA9 Programming Software to version 6.79 or later

Long-term hardening

0/3

HARDENINGImplement application whitelisting on the engineering workstation to block unauthorized or untrusted software execution

HARDENINGDeploy host-based firewall and endpoint detection and response (EDR) tools to monitor for and block malicious activity on the workstation

HARDENINGEnable logging and monitoring of system activities on the engineering workstation and regularly review logs for suspicious behavior

CVEs (3)

CVE-2024-11609 CVE-2024-11610 CVE-2024-11611

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/f7c76168-bf16-4be1-a364-ab47ffe93cbf

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.