September 1, 2017 Karn Ganeshen

[ICS] Solar Controls Heating Control Downloader – Insecure Library Loading Allows Code Execution

Vendor: Solar Controls
Equipment: Heating Control Downloader (HCDownloader)
Vulnerability: Uncontrolled Search Path Element

ICS-CERT Advisory
https://ics-cert.us-cert.gov/advisories/ICSA-17-222-02

AFFECTED PRODUCTS

The following versions of Solar Controls’ Heating Control Downloader (HCDownloader) are affected:

Heating Control is a programmable controller of heating involving multiple sources and multiple points of consumption. After the correct installation and setup, the controller will manage the heating of your house etc and it can also provide other control functions.

BACKGROUND

IMPACT
Successful exploitation of this vulnerability may allow arbitrary code execution.

VULNERABILITY OVERVIEW

UNCONTROLLED SEARCH PATH ELEMENT CWE-427
An uncontrolled search path element has been identified, which could allow an attacker to execute arbitrary code on a target system using a malicious DLL file.

CVE-2017-9646 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been assigned; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

Missing Libraries

Application Executables (that look for missing DLL)

Steps to reproduce

+++++

Tagged: , , , , , ,