CVE-2017-14020
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
In AutomationDirect CLICK Programming Software (Part Number C0-PGMSW) Versions 2.10 and prior; C-More Programming Software (Part Number EA9-PGMSW) Versions 6.30 and prior; C-More Micro (Part Number EA-PGMSW) Versions 4.20.01.0 and prior; Do-more Designer Software (Part Number DM-PGMSW) Versions 2.0.3 and prior; GS Drives Configuration Software (Part Number GSOFT) Versions 4.0.6 and prior; SL-SOFT SOLO Temperature Controller Configuration Software (Part Number SL-SOFT) Versions 1.1.0.5 and prior; and DirectSOFT Programming Software Versions 6.1 and prior, an uncontrolled search path element (DLL Hijacking) vulnerability has been identified. To exploit this vulnerability, an attacker could rename a malicious DLL to meet the criteria of the application, and the application would not verify that the DLL is correct. Once loaded by the application, the DLL could run malicious code at the privilege level of the application.
En AutomationDirect CLICK Programming Software (Part Number C0-PGMSW) en versiones 2.10 y anteriores; C-More Programming Software (Part Number EA9-PGMSW) en versiones 6.30 y anteriores; C-More Micro (Part Number EA-PGMSW) en versiones 4.20.01.0 y anteriores; Do-more Designer Software (Part Number DM-PGMSW) en versiones 2.0.3 y anteriores; GS Drives Configuration Software (Part Number GSOFT) en versiones 4.0.6 y anteriores; SL-SOFT SOLO Temperature Controller Configuration Software (Part Number SL-SOFT) en versiones 1.1.0.5 y anteriores y DirectSOFT Programming Software en versiones 6.1 y anteriores, se ha identificado una vulnerabilidad de elemento de ruta de búsqueda no controlado (secuestro de DLL). Para explotar esta vulnerabilidad, un atacante podría renombrar un DLL malicioso para cumplir los criterios de la aplicación y esta no verificaría que el DLL es correcto. Una vez es cargado por la aplicación, el DLL podría ejecutar código malicioso al nivel de privilegios de la aplicación.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2017-08-30 CVE Reserved
- 2017-11-13 CVE Published
- 2023-04-06 EPSS Updated
- 2024-09-17 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-427: Uncontrolled Search Path Element
CAPEC
References (2)
| URL | Tag | Source |
|---|---|---|
| http://www.securityfocus.com/bid/101780 | Third Party Advisory | |
| https://ics-cert.us-cert.gov/advisories/ICSA-17-313-01 | Issue Tracking |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Automationdirect Search vendor "Automationdirect" | Click Plc Firmware Search vendor "Automationdirect" for product "Click Plc Firmware" | <= 2.10 Search vendor "Automationdirect" for product "Click Plc Firmware" and version " <= 2.10" | - |
Affected
| in | Automationdirect Search vendor "Automationdirect" | Click Plc Search vendor "Automationdirect" for product "Click Plc" | - | - |
Safe
|
| Automationdirect Search vendor "Automationdirect" | C-more Plc Firmware Search vendor "Automationdirect" for product "C-more Plc Firmware" | <= 6.30 Search vendor "Automationdirect" for product "C-more Plc Firmware" and version " <= 6.30" | - |
Affected
| in | Automationdirect Search vendor "Automationdirect" | C-more Plc Search vendor "Automationdirect" for product "C-more Plc" | - | - |
Safe
|
| Automationdirect Search vendor "Automationdirect" | C-more Micro Firmware Search vendor "Automationdirect" for product "C-more Micro Firmware" | <= 4.20.01.0 Search vendor "Automationdirect" for product "C-more Micro Firmware" and version " <= 4.20.01.0" | - |
Affected
| in | Automationdirect Search vendor "Automationdirect" | C-more Micro Search vendor "Automationdirect" for product "C-more Micro" | - | - |
Safe
|
| Automationdirect Search vendor "Automationdirect" | Gs Drives Fimware Search vendor "Automationdirect" for product "Gs Drives Fimware" | <= 4.0.6 Search vendor "Automationdirect" for product "Gs Drives Fimware" and version " <= 4.0.6" | - |
Affected
| in | Automationdirect Search vendor "Automationdirect" | Gs Drives Search vendor "Automationdirect" for product "Gs Drives" | - | - |
Safe
|
| Automationdirect Search vendor "Automationdirect" | Sl-soft Solo Temperature Controller Firmware Search vendor "Automationdirect" for product "Sl-soft Solo Temperature Controller Firmware" | <= 1.1.0.5 Search vendor "Automationdirect" for product "Sl-soft Solo Temperature Controller Firmware" and version " <= 1.1.0.5" | - |
Affected
| in | Automationdirect Search vendor "Automationdirect" | Sl-soft Solo Temperature Controller Search vendor "Automationdirect" for product "Sl-soft Solo Temperature Controller" | - | - |
Safe
|