PT-2022-10178 · Automationdirect · Automation Direct Click Plc Cpu Modules
Adeen Ayub
+2
·
Published
2022-04-04
·
Updated
2022-10-25
·
CVE-2021-32986
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Automation Direct CLICK PLC CPU Modules: C0-1x CPUs versions prior to v3.00
Description
The issue arises when an authorized user unlocks the Automation Direct CLICK PLC CPU Modules: C0-1x CPUs with firmware prior to v3.00. The unlocked state does not timeout, and if the programming software is interrupted, the PLC remains unlocked, allowing all subsequent programming connections without authorization. The PLC is only relocked by a power cycle or when the programming software disconnects correctly.
Recommendations
For versions prior to v3.00, update the firmware to v3.00 or later to resolve the issue. As a temporary workaround, consider performing a power cycle after each use of the programming software to ensure the PLC is relocked. Additionally, ensure the programming software disconnects correctly to prevent unauthorized access.
Fix
Authentication Bypass Using an Alternate Path or Channel
Incorrect Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Automation Direct Click Plc Cpu Modules