PatchSiren cyber security CVE debrief
CVE-2024-24958 AutomationDirect CVE debrief
A null-byte write vulnerability in the Programming Software Connection FileSystem API of AutomationDirect Productivity PLCs allows remote attackers to cause heap-based memory corruption via specially crafted network packets. The vulnerability affects multiple Productivity series CPUs across firmware and software versions, with a CVSS 3.1 score of 8.2 (HIGH). The issue was disclosed by CISA on May 23, 2024, and is not currently listed in CISA's Known Exploited Vulnerabilities catalog.
- Vendor
- AutomationDirect
- Product
- Productivity 3000 P3-550E CPU
- CVSS
- HIGH 8.2
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-05-23
- Original CVE updated
- 2024-05-23
- Advisory published
- 2024-05-23
- Advisory updated
- 2024-05-23
Who should care
Organizations operating AutomationDirect Productivity series PLCs in industrial control environments, particularly those with network-connected automation systems. Critical infrastructure operators, manufacturing facilities, and any sites using affected Productivity 3000 (P3-550E, P3-550, P3-530), Productivity 2000 (P2-550), or Productivity 1000 (P1-550, P1-540) CPUs should prioritize assessment and remediation.
Technical summary
The vulnerability resides in the Programming Software Connection FileSystem API functionality of AutomationDirect Productivity PLCs. A null-byte write condition can be triggered by specially crafted network packets, resulting in heap-based memory corruption. The affected products span the Productivity 3000, 2000, and 1000 series CPUs with specific firmware and software versions. The attack requires network access to the target PLC but does not require authentication or user interaction. Successful exploitation could impact availability and integrity of the control system.
Defensive priority
HIGH
Recommended defensive actions
- Update Productivity Suite programming software to version 4.2.0.x or higher
- Update Productivity PLC firmware to the latest version available from the vendor
- Physically disconnect affected PLCs from external networks including internet and LANs if patching is not immediately feasible
- Implement network segmentation to isolate PLCs from other organizational systems
- Configure firewall rules or network access control policies to restrict traffic to affected PLCs
- Conduct a thorough network security analysis to determine appropriate security levels for automation control systems
- Review vendor security considerations documentation for additional hardening guidance
Evidence notes
The vulnerability exists in the Programming Software Connection FileSystem API functionality. Specially crafted network packets can lead to heap-based memory corruption. The CVSS 3.1 vector is AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H, indicating network attack vector with low attack complexity, no privileges required, no user interaction, and high availability impact with low integrity impact.
Official resources
-
CVE-2024-24958 CVE record
CVE.org
-
CVE-2024-24958 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2024-05-23