1. EXECUTIVE SUMMARY
- CVSS v4 8.4
- ATTENTION: Low attack complexity
- Vendor: AutomationDirect
- Equipment: C-More EA9 Programming Software
- Vulnerabilities: Stack-based Buffer Overflow
2. RISK EVALUATION
Successful exploitation of these vulnerabilities could result in memory corruption; a buffer overflow condition may allow remote code execution.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
AutomationDirect reports that the following versions of C-more EA9 series programming software are affected:
- C-More EA9 Programming Software: version 6.78 and prior
3.2 Vulnerability Overview
3.2.1 Stack-based Buffer Overflow CWE-121
A file parsing stack-based buffer overflow remote code execution vulnerability is a serious software flaw that arises when an application or system improperly handles input files, leading to a stack-based buffer overflow. If exploited, this vulnerability allows attackers to execute arbitrary code remotely, often resulting in system compromise or unauthorized control.
CVE-2024-11609 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2024-11609. A base score of 8.4 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).
3.2.2 Stack-based Buffer Overflow CWE-121
A file parsing memory corruption remote code execution vulnerability occurs when an application fails to safely handle data during the parsing of files, resulting in memory corruption. If exploited, this vulnerability can allow an attacker to execute arbitrary code remotely, potentially compromising the target system.
CVE-2024-11610 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2024-11610. A base score of 8.4 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).
3.2.3 Stack-based Buffer Overflow CWE-121
A file parsing memory corruption remote code execution vulnerability occurs when an application fails to safely handle data during the parsing of files, resulting in memory corruption. If exploited, this vulnerability can allow an attacker to execute arbitrary code remotely, potentially compromising the targeted system.
CVE-2024-11611 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2024-11611. A base score of 8.4 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).
3.3 BACKGROUND
- CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities, Critical Manufacturing, Energy, Water and Wastewater
- COUNTRIES/AREAS DEPLOYED: Worldwide
- COMPANY HEADQUARTERS LOCATION: United States
3.4 RESEARCHER
Andrea Micalizzi aka rgod (@rgod777) working with Trend Micro Zero Day Initiative reported these vulnerabilities to AutomationDirect.
4. MITIGATIONS
To resolve these vulnerabilities AutomationDirect recommends that users update C-MORE EA9 HMI to V6.79.
If an immediate update is not feasible, AutomationDirect recommends considering the following interim steps until the programming software can be updated:
- Isolate the Engineering Workstation:
- Disconnect the workstation from external networks (e.g., internet or corporate LAN) to limit exposure to external threats.
- Use dedicated, secure internal networks or air-gapped systems for communication with programmable devices.
- Control Access:
- Restrict physical and logical access to the workstation to authorized personnel only.
- Implement multi-factor authentication (MFA) and robust password policies for user accounts.
- Implement Whitelisting:
- Use application whitelisting to allow only pre-approved and trusted software to execute on the workstation.
- Block untrusted or unauthorized applications.
- Apply Endpoint Security Measures:
- Use antivirus or endpoint detection and response (EDR) tools to monitor for and mitigate threats.
- Ensure that host-based firewalls are properly configured to block unauthorized access.
- Monitor and Log Activity:
- Enable logging and monitoring of system activities to detect potential anomalies or unauthorized actions.
- Regularly review logs for suspicious activity.
- Harden the Workstation:
- Remove or disable unnecessary services and software to reduce the attack surface.
- Implement security configurations, such as disabling autorun for USB drives or restricting administrative privileges.
- Use Secure Backup and Recovery:
- Regularly back up the workstation and its configurations to a secure location.
- Test recovery procedures to ensure minimal downtime in the event of an incident.
- Conduct Regular Risk Assessments:
- Continuously assess the risks posed by the outdated software and adjust mitigation measures as necessary.
For more information, see the AutomationDirect security advisory.
CISA recommends users take the following measures to protect themselves from social engineering attacks:
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. These vulnerabilities are not exploitable remotely.
5. UPDATE HISTORY
- December 5, 2024: Initial Publication