AutomationDirect C-More EA9 Programming Software
Plan Patch7.8ICS-CERT ICSA-24-340-01Dec 5, 2024
Attack VectorLocal
Auth RequiredNone
ComplexityLow
User InteractionRequired
Summary
AutomationDirect C-More EA9 Programming Software versions 6.78 and earlier contain a buffer overflow vulnerability (CWE-121) that could result in memory corruption and remote code execution. The vulnerability affects the software's handling of input during project file processing. The vendor recommends updating to version 6.79. Because these vulnerabilities are not remotely exploitable and no known public exploitation has been reported, risk is limited to scenarios where an attacker has local access or can supply a malicious file to the engineering workstation.
What this means
What could happen
A buffer overflow in the C-More EA9 programming software could allow an attacker with local access to run arbitrary code on the engineering workstation, potentially enabling modification or creation of malicious HMI projects that could be deployed to control the connected PLC or other ICS devices.
Who's at risk
This affects water authorities and utilities using AutomationDirect C-More EA9 HMI programming software on engineering workstations. Any organization that configures or maintains programmable logic controllers (PLCs) and other industrial equipment through C-More EA9 should assess their exposure, particularly those with shared workstations or where multiple users have access to engineering tools.
How it could be exploited
An attacker must have local access to the engineering workstation running C-More EA9 v6.78 or earlier. They would need to supply a malicious file (such as a project file or configuration) that triggers the buffer overflow when opened or processed by the software, allowing code execution in the context of the application. The attacker could then use this execution to modify projects or extract credentials.
Prerequisites
- Local access to the engineering workstation
- C-More EA9 software version 6.78 or earlier installed
- Ability to supply a malicious file to the workstation (via email attachment, USB drive, or shared network path)
- User interaction to open or process the malicious file
Buffer overflow vulnerabilityLocal access requiredLow complexity attackNo patch available yetAffects engineering/programming tool used to configure safety-critical devices
Exploitability
Moderate exploit probability (EPSS 1.6%)
Affected products (1)
ProductAffected VersionsFix Status
C-More EA9 Programming Software: <=6.78≤ 6.786.79
Remediation & Mitigation
0/11
Do now
0/5WORKAROUNDDisconnect the engineering workstation from external networks and the corporate LAN; use only air-gapped or dedicated secure internal networks for communication with programmable devices
HARDENINGRestrict physical and logical access to the engineering workstation to authorized personnel only; implement multi-factor authentication and strong password policies
WORKAROUNDDeploy application whitelisting to allow only pre-approved software on the engineering workstation
HARDENINGConfigure host-based firewall to block unauthorized access to the engineering workstation
HARDENINGTrain personnel not to click links or open attachments in unsolicited email messages
Schedule — requires maintenance window
0/4Patching may require device reboot — plan for process interruption
HOTFIXUpdate C-More EA9 Programming Software to version 6.79 or later
HARDENINGInstall and configure antivirus or endpoint detection and response (EDR) tools on the engineering workstation
HARDENINGEnable logging and monitoring of system activities on the engineering workstation; regularly review logs for suspicious behavior
HARDENINGDisable unnecessary services and software on the engineering workstation; disable USB autorun and restrict administrative privileges
Long-term hardening
0/2HARDENINGEstablish regular backup and recovery procedures for the engineering workstation and test recovery processes
HARDENINGConduct ongoing risk assessments to evaluate exposure from the outdated software and adjust mitigations as needed
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/f7c76168-bf16-4be1-a364-ab47ffe93cbf