Touch panels deployed in critical infrastructure vulnerable to remote attacks

Manufacturing facilities and processing centers using AutomationDirect C-more Touch Panels are advised to upgrade their firmware ASAP, as older versions contain a high-risk vulnerability (CVE-2020-6969) that may allow attackers to get account information such as usernames and passwords, obscure or manipulate process data, and lock out access to the device.

What are AutomationDirect C-more Touch Panels?

Manufactured by US-based AutomationDirect, the vulnerable C-more Touch Panels EA9 series are human-machine interfaces (HMIs) capable of communicating with a wide variety of programmable logic controllers (PLCs).

According to the recently published ICS-CERT advisory, they are deployed by commercial, critical manufacturing, energy, water and wastewater facilities around the world.

About the vulnerability (CVE-2020-6969)

CVE-2020-6969, reported by Joel Langill of Amentum Mission Engineering & Resilience, is a vulnerability that could allow attackers “to unmask credentials and other sensitive information on ‘unprotected’ project files, which may allow them to remotely access the system and manipulate system configurations.”

The vulnerability can be exploited remotely without authentication or user interaction, may affect confidentiality, integrity and availability of the system, and requires a low skill level to exploit.

The good news is that there are no known public exploits specifically target this vulnerability and that it has been fixed.

AutomationDirect advises users to upgrade to firmware version 6.53. Prior versions (v5.x and 6.x) are all vulnerable.

Control system devices and/or systems should, in general, not be accessible from the internet, CISA recommends, and control system networks and remote devices should be located behind firewalls and isolated from the business network.