CVSS: 7.5EPSS: 0%CPEs: 40EXPL: 0CVE-2021-32982 – Automation Direct CLICK PLC CPU Modules Cleartext Transmission of Sensitive Information
https://notcve.org/view.php?id=CVE-2021-32982
Automation Direct CLICK PLC CPU Modules: C0-1x CPUs with firmware prior to v3.00 passwords are sent as plaintext during unlocking and project transfers. An attacker who has network visibility can observe the password exchange. Módulos de CPU de PLC CLICK de Automation Direct: CPUs C0-1x con versiones de firmware anteriores a v3.00, las contraseñas son enviadas como texto plano durante el desbloqueo y las transferencias de proyectos. Un atacante que tenga visibilidad de la red puede observar el intercambio de contraseñas • https://www.cisa.gov/uscert/ics/advisories/icsa-21-166-02 • CWE-319: Cleartext Transmission of Sensitive Information •
CVSS: 9.8EPSS: 0%CPEs: 40EXPL: 0CVE-2021-32986 – Automation Direct CLICK PLC CPU Modules Authentication Bypass Using an Alternate Path or Channel
https://notcve.org/view.php?id=CVE-2021-32986
After Automation Direct CLICK PLC CPU Modules: C0-1x CPUs with firmware prior to v3.00 is unlocked by an authorized user, the unlocked state does not timeout. If the programming software is interrupted, the PLC remains unlocked. All subsequent programming connections are allowed without authorization. The PLC is only relocked by a power cycle, or when the programming software disconnects correctly. Después de los módulos de CPU del PLC CLICK de Automation Direct: C0-1x con versiones de firmware anteriores a v3.00, son desbloqueados por un usuario autorizado, el estado de desbloqueo no es agotado. • https://www.cisa.gov/uscert/ics/advisories/icsa-21-166-02 • CWE-288: Authentication Bypass Using an Alternate Path or Channel CWE-863: Incorrect Authorization •
CVSS: 9.8EPSS: 0%CPEs: 40EXPL: 0CVE-2021-32984 – Automation Direct CLICK PLC CPU Modules Authentication Bypass Using an Alternate Path or Channel
https://notcve.org/view.php?id=CVE-2021-32984
All programming connections receive the same unlocked privileges, which can result in a privilege escalation. During the time Automation Direct CLICK PLC CPU Modules: C0-1x CPUs with firmware prior to v3.00 is unlocked by an authorized user, an attacker can connect to the PLC and read the project without authorization. Todas las conexiones de programación reciben los mismos privilegios desbloqueados, lo que puede resultar en una escalada de privilegios. Durante el tiempo que los Módulos de CPU de PLC CLICK de Automation Direct: CPUs C0-1x con versiones de firmware anteriores a v3.00, es desbloqueado por un usuario autorizado, un atacante puede conectarse al PLC y leer el proyecto sin autorización • https://www.cisa.gov/uscert/ics/advisories/icsa-21-166-02 • CWE-287: Improper Authentication CWE-288: Authentication Bypass Using an Alternate Path or Channel •
CVSS: 7.5EPSS: 0%CPEs: 40EXPL: 0CVE-2021-32978 – Automation Direct CLICK PLC CPU Modules Plaintext Storage of a Password
https://notcve.org/view.php?id=CVE-2021-32978
The programming protocol allows for a previously entered password and lock state to be read by an attacker. If the previously entered password was successful, the attacker can then use the password to unlock Automation Direct CLICK PLC CPU Modules: C0-1x CPUs with firmware prior to v3.00. El protocolo de programación permite que un atacante lea la contraseña introducida previamente y el estado de bloqueo. Si la contraseña introducida previamente fue satisfactoria, el atacante puede usar la contraseña para desbloquear los módulos de CPU del PLC de Automation Direct CLICK: CPUs C0-1x con versiones de firmware anteriores a v3.00 • https://www.cisa.gov/uscert/ics/advisories/icsa-21-166-02 • CWE-256: Plaintext Storage of a Password CWE-522: Insufficiently Protected Credentials •
CVSS: 9.8EPSS: 0%CPEs: 40EXPL: 0CVE-2021-32980 – Automation Direct CLICK PLC CPU Modules Authentication Bypass Using an Alternate Path or Channel
https://notcve.org/view.php?id=CVE-2021-32980
Automation Direct CLICK PLC CPU Modules: C0-1x CPUs with firmware prior to v3.00 does not protect against additional software programming connections. An attacker can connect to the PLC while an existing connection is already active. Módulos de CPU del PLC CLICK de Automation Direct: Las CPUs C0-1x con firmware versiones anteriores a v3.00, no protegen contra conexiones de programación de software adicionales. Un atacante puede conectarse al PLC mientras una conexión presente ya está activa • https://www.cisa.gov/uscert/ics/advisories/icsa-21-166-02 • CWE-287: Improper Authentication CWE-288: Authentication Bypass Using an Alternate Path or Channel •