September 1, 2017 Karn Ganeshen

[ICS] Solar Controls WATTConfig M Software – Insecure Library Loading Allows Code Execution

Vendor: Solar Controls
Equipment: WATTConfig M Software
Vulnerability: Uncontrolled Search Path Element

ICS-CERT Advisory
https://ics-cert.us-cert.gov/advisories/ICSA-17-222-03

AFFECTED PRODUCTS

The following versions of Solar Controls’ WATTConfig M Software for Windows 2.5.10 for M SSR/MAX PLCs are affected:


WATTrouter M SSR

WATTrouter M SSR is versatile programmable controller to optimize self-consumption of energy produced by photovoltaic or wind power plant. There is possible to connect 2 external solid-state relays (SSR). Current measurement range is 3x20A.

WATTrouter M MAX

WATTrouter M MAX is versatile programmable controller to optimize self-consumption of energy produced by photovoltaic or wind power plant. There is possible to connect 2 external solid-state relays (SSR). Current measurement range is 3x100A.

BACKGROUND

IMPACT
Successful exploitation of this vulnerability may allow arbitrary code execution.

VULNERABILITY OVERVIEW

UNCONTROLLED SEARCH PATH ELEMENT CWE-427
An uncontrolled search path element has been identified, which could allow an attacker to execute arbitrary code on a target system using a malicious DLL file.

CVE-2017-9648 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been assigned; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

Missing Libraries

Application Executables (that look for missing DLL)

Steps to reproduce

+++++

Tagged: , , , , , , ,