PatchSiren cyber security CVE debrief
CVE-2024-22187 AutomationDirect CVE debrief
A critical write-what-where vulnerability exists in the Programming Software Connection Remote Memory Diagnostics functionality of AutomationDirect Productivity PLCs. The vulnerability allows unauthenticated remote attackers to achieve arbitrary memory writes via specially crafted network packets. This vulnerability affects multiple Productivity series CPUs across the P3-550E, P3-550, P3-530, P2-550, P1-550, and P1-540 product lines running specific firmware and software versions. The vulnerability was disclosed on May 23, 2024, with a CVSS 3.1 score of 9.1 (Critical), reflecting network attack vector, low attack complexity, no privileges required, and high impact to integrity and availability.
- Vendor
- AutomationDirect
- Product
- Productivity 3000 P3-550E CPU
- CVSS
- CRITICAL 9.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-05-23
- Original CVE updated
- 2024-05-23
- Advisory published
- 2024-05-23
- Advisory updated
- 2024-05-23
Who should care
Organizations operating AutomationDirect Productivity series PLCs in industrial control environments, particularly those with network-connected PLCs in manufacturing, process control, building automation, and critical infrastructure sectors. Asset owners, OT security teams, ICS engineers, and network administrators responsible for PLC deployment and maintenance should prioritize assessment and remediation.
Technical summary
The vulnerability exists in the Programming Software Connection Remote Memory Diagnostics functionality. An unauthenticated attacker can send a specially crafted network packet to trigger an arbitrary write condition. This is classified as a write-what-where vulnerability, allowing attackers to write arbitrary values to arbitrary memory locations. The attack requires no authentication and can be executed remotely over the network. The vulnerability affects firmware version 1.2.10.9 on P3-550E, P3-550, and P3-530 CPUs; firmware version 1.2.10.10 on P2-550, P1-550, and P1-540 CPUs; and software version 4.1.1.10 across all affected product lines. The CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H indicates network accessibility, low complexity, no privileges required, and high impacts to integrity and availability with no confidentiality impact.
Defensive priority
CRITICAL
Recommended defensive actions
- Update Productivity Suite programming software to version 4.2.0.x or higher
- Update Productivity PLC firmware to the latest available version
- Physically disconnect affected PLCs from external networks including internet and LANs
- Implement network segmentation to isolate PLCs from other organizational systems
- Configure firewall rules or network access control (NAC) policies to block traffic to affected PLCs
- Conduct thorough network security analysis to determine appropriate security level for automation control systems
- Review AutomationDirect security considerations documentation for additional guidance
Evidence notes
The vulnerability description and affected products are derived from CISA CSAF advisory ICSA-24-144-01, which identifies the write-what-where condition in the Remote Memory Diagnostics functionality. The advisory specifies that unauthenticated network packets can trigger arbitrary writes. Twelve specific product configurations are identified as affected, spanning firmware versions 1.2.10.9 and 1.2.10.10, and software version 4.1.1.10.
Official resources
-
CVE-2024-22187 CVE record
CVE.org
-
CVE-2024-22187 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2024-05-23