CVE-2021-32982

NVD

https://nvd.nist.gov/vuln/detail/CVE-2021-32982

CWE

https://cwe.mitre.org/data/definitions/319.html

Automation Direct CLICK PLC CPU Modules: C0-1x CPUs with firmware prior to v3.00 passwords are sent as plaintext during unlocking and project transfers. An attacker who has network visibility can observe the password exchange.

Weakness

The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.

Affected Software

Name	Vendor	Start Version	End Version
C0-10dd1e-d_firmware	Automationdirect	*	3.00 (excluding)

Potential Mitigations

https://cwe.mitre.org/data/definitions/102.html
https://cwe.mitre.org/data/definitions/117.html
https://cwe.mitre.org/data/definitions/383.html
https://cwe.mitre.org/data/definitions/477.html
https://cwe.mitre.org/data/definitions/65.html

References

https://www.cisa.gov/uscert/ics/advisories/icsa-21-166-02
https://www.cisa.gov/uscert/ics/advisories/icsa-21-166-02

Cleartext Transmission of Sensitive Information

Weakness

Affected Software

Potential Mitigations

Related Attack Patterns

References