Screen of Danger: AutomationDirect HMIs Hit by Triple Threat Vulnerabilities

Beware, AutomationDirect users: your C-MORE EA9 HMI might just be an open invitation for cyber party-crashers! With vulnerabilities like Path Traversal and Password Peepshows, update to V6.78 before hackers RSVP.

Hot Take:

Oh, what a tangled web we weave when first we practice to… literally not update our HMIs. AutomationDirect’s C-MORE EA9 HMI is like that one relative who thinks ‘password’ is a great password. With a buffet of vulnerabilities, including the classic path traversal and a charming stack-based buffer overflow, it’s no wonder CISA is playing cybersecurity nanny. Let’s update and maybe not store our secrets on a Post-it note, shall we?

Key Points:

  • AutomationDirect’s C-MORE EA9 HMI series has a trio of vulnerabilities that could give hackers a field day.
  • These vulnerabilities include an open-door policy to path traversal, an all-you-can-eat stack-based buffer overflow, and a plaintext password faux pas.
  • Products affected are like the entire lineup of C-MORE EA9 HMI versions up to 6.77 – so it’s a full house.
  • Tomer Goldschmidt (of Claroty’s Team82) deserves a cookie for pointing out these cybersecurity no-nos.
  • The solution is an update to version 6.78 and some serious defensive cybersecurity maneuvers.
Title: AutomationDirect C-MORE EA9 HMI Stack-based Buffer Overflow
Cve id: CVE-2024-25137
Cve state: PUBLISHED
Cve assigner short name: icscert
Cve date updated: 03/26/2024
Cve description: In AutomationDirect C-MORE EA9 HMI there is a program that copies a buffer of a size controlled by the user into a limited sized buffer on the stack which may lead to a stack overflow. The result of this stack-based buffer overflow can lead to denial-of-service conditions.

Title: AutomationDirect C-MORE EA9 HMI Path Traversal
Cve id: CVE-2024-25136
Cve state: PUBLISHED
Cve assigner short name: icscert
Cve date updated: 03/26/2024
Cve description: There is a function in AutomationDirect C-MORE EA9 HMI that allows an attacker to send a relative path in the URL without proper sanitizing of the content.

Title: AutomationDirect C-MORE EA9 HMI Plaintext Storage of a Password
Cve id: CVE-2024-25138
Cve state: PUBLISHED
Cve assigner short name: icscert
Cve date updated: 03/26/2024
Cve description: In AutomationDirect C-MORE EA9 HMI, credentials used by the platform are stored as plain text on the device.

Need to know more?

The Plot Thickens

The stage is set: a plethora of AutomationDirect's C-MORE EA9 HMI displays are just waiting for their big break... into cybersecurity infamy. These displays are like the weakest link in the "who's got the worst password" game, where everyone loses. With path traversal, they're practically laying out a red carpet for attackers to strut right through their directory paths. Stack-based buffer overflow? More like a buffet overflow where the attackers stuff themselves silly with excess buffer until the system cries for mercy.

A Password in Plain Sight

Let's talk about the cardinal sin of cybersecurity: plaintext password storage. Who needs encryption when you can just leave your keys under the doormat in plain view of the neighborhood cat burglar? This vulnerability is the cybersecurity equivalent of keeping your cash in a glass jar labeled "Definitely Not Money."

Worldwide Woes

These vulnerabilities are not just a local affair; they're ready for their world tour, affecting users globally. The critical infrastructure sectors taking the hit include commercial facilities, manufacturing, energy, and water. So, it's not just your garage door opener at risk — it's the stuff that keeps the lights on and water flowing.

The Unsung Hero

Enter Tomer Goldschmidt, the cybersecurity equivalent of a lifeguard spotting sharks in the kiddie pool. He's waving his red flag and blowing the whistle, alerting us to the dangers lurking in the deep end of the HMI code.

Defensive Playbook

AutomationDirect's response is akin to "Turn it off and on again," but with a bit more flair: update to version 6.78. Meanwhile, CISA is handing out cybersecurity life jackets, urging folks to minimize exposure, isolate from business networks, and use VPNs — but with the caveat that VPNs are only as strong as their weakest password (which, remember, shouldn't be 'password').

No Exploits, Just Vibes

So far, these vulnerabilities are like the Loch Ness Monster of the cybersecurity world: widely talked about but not yet spotted in the wild. CISA hasn't seen any public exploitation, which is cybersecurity speak for "no news is good news." But when news does break, they want you to slide into their DMs with the deets.

There you have it, folks. It's a tale as old as time: update your systems, don't write your passwords on sticky notes, and maybe — just maybe — we can live happily ever after in our digital kingdom.

Tags: AutomationDirect, buffer overflow, C-MORE EA9 HMI, CVSS Scores, ICS security, Path Traversal, Plaintext Password Storage