CVE-2021-32986 in CLICK PLC CPU
Summary
by MITRE • 04/05/2022
After Automation Direct CLICK PLC CPU Modules: C0-1x CPUs with firmware prior to v3.00 is unlocked by an authorized user, the unlocked state does not timeout. If the programming software is interrupted, the PLC remains unlocked. All subsequent programming connections are allowed without authorization. The PLC is only relocked by a power cycle, or when the programming software disconnects correctly.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 04/06/2022
The vulnerability identified as CVE-2021-32986 affects Automation Direct CLICK PLC CPU modules, specifically the C0-1x series operating with firmware versions prior to v3.00. This represents a critical security flaw in industrial control systems that undermines the fundamental security mechanisms designed to protect programmable logic controllers from unauthorized access. The vulnerability stems from improper session management within the PLC's authentication framework, creating a persistent security risk that can persist across system interruptions and failures. The flaw is particularly concerning in industrial environments where operational technology systems require robust security controls to prevent unauthorized modifications that could disrupt critical processes.
The technical implementation of this vulnerability involves a failure in the PLC's access control state management system. When an authorized user unlocks the CPU module through programming software, the system should establish a time-based session timeout mechanism that automatically relocks the device after a predetermined period of inactivity or upon software interruption. However, the affected firmware versions lack this timeout functionality, causing the unlock state to persist indefinitely. This design flaw creates a persistent access vector that remains active even when the programming software encounters unexpected termination or connection failures. The system's inability to properly manage session states represents a violation of standard security principles and can be categorized under CWE-613, which addresses insufficient session expiration, and CWE-306, which covers missing authentication checks.
The operational impact of this vulnerability extends beyond simple unauthorized access to encompass potential disruption of industrial processes and compromise of operational integrity. When the programming software is interrupted during a session, the PLC maintains its unlocked state, allowing any subsequent connection to proceed without authentication requirements. This creates an attack surface where malicious actors could exploit the persistent unlocked state to modify critical control logic, potentially causing production disruptions, safety hazards, or security breaches. The requirement for a power cycle to relock the system introduces additional operational challenges, as unplanned power cycles can disrupt ongoing industrial processes and may not be feasible in all operational environments. This vulnerability directly impacts the CIA triad by compromising confidentiality through unauthorized access, integrity through potential unauthorized modifications, and availability through potential operational disruptions.
Mitigation strategies for this vulnerability should prioritize immediate firmware updates to version 3.00 or later, which presumably address the session management flaw. Organizations should implement network segmentation and access controls to limit physical and network access to PLC devices, reducing the attack surface for potential exploitation. Additionally, monitoring systems should be deployed to detect unauthorized access attempts and persistent connections to PLC modules, enabling rapid response to potential security incidents. Security professionals should consider implementing device authentication mechanisms and network access controls that can detect and prevent unauthorized programming connections. The vulnerability's characteristics align with ATT&CK technique T1078 which covers valid accounts and T1566 which covers credential harvesting, suggesting that defensive measures should include account monitoring and credential protection strategies. Regular security assessments of industrial control systems should be conducted to identify similar session management flaws that could create persistent access vectors in other industrial equipment.