PatchSiren cyber security CVE debrief

CVE-2024-45368 AutomationDirect CVE debrief

CVE-2024-45368 is a HIGH severity (CVSS 8.8) authentication bypass vulnerability affecting the AutomationDirect DirectLogic H2-DM1E programmable logic controller (PLC) running firmware version 2.8.0 and earlier. The vulnerability stems from an anomaly in the PLC's authentication protocol implementation, which accepts multiple distinct packets as valid authentication responses rather than enforcing a single, specific response pattern. This deviation from standard security practices enables attackers to bypass authentication controls without possessing valid credentials. The attack vector is adjacent network (AV:A), requiring no privileges (PR:N) and no user interaction (UI:N), with high impact across confidentiality, integrity, and availability (C:H/I:H/A:H). AutomationDirect has determined that the H2-DM1E cannot be supported within their secure development lifecycle due to age and architectural limitations, and no patch will be issued. Organizations must implement compensating controls or migrate to supported platforms.

Vendor: AutomationDirect
Product: DirectLogic H2-DM1E
CVSS: HIGH 8.8
CISA KEV: Not listed in stored evidence
Original CVE published: 2024-09-12
Original CVE updated: 2024-09-12
Advisory published: 2024-09-12
Advisory updated: 2024-09-12

Who should care

Organizations operating AutomationDirect DirectLogic H2-DM1E PLCs in manufacturing, water/wastewater, energy, or other industrial sectors. Security teams responsible for OT/ICS asset protection and network segmentation. Operational technology engineers managing legacy PLC deployments. Compliance officers addressing NERC CIP, IEC 62443, or sector-specific security requirements for critical infrastructure. Risk managers evaluating end-of-life technology decisions and secure migration strategies.

Technical summary

The H2-DM1E PLC implements either a custom encoding scheme or challenge-response authentication protocol. The vulnerability exists because the protocol execution incorrectly accepts multiple distinct packet formats as valid authentication responses, rather than validating against a single expected response pattern. This implementation flaw allows an attacker with adjacent network access to craft authentication responses that the PLC will accept, bypassing authentication controls entirely. The CVSS 3.1 vector AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H reflects that successful exploitation requires adjacent network access but no privileges or user interaction, with complete compromise of confidentiality, integrity, and availability. The product has reached end-of-life with no firmware update path; AutomationDirect recommends platform migration to BRX series PLCs combined with network-layer compensating controls.

Defensive priority

critical

Recommended defensive actions

Migrate from H2-DM1E to AutomationDirect BRX platform as primary remediation path
Implement network segmentation to isolate H2-DM1E PLCs from enterprise networks and internet-facing systems
Deploy air-gapping for critical H2-DM1E installations where operational requirements permit
Place remaining H2-DM1E systems behind StrideLinx secure VPN platform for access control
Conduct asset inventory to identify all H2-DM1E deployments across operational technology environments
Review and strengthen monitoring capabilities for authentication events on H2-DM1E systems
Develop and test incident response procedures for potential compromise of affected PLCs
Engage AutomationDirect support for migration planning and alternative architecture guidance

Evidence notes

Vulnerability disclosed via CISA ICS advisory ICSA-24-256-17. Authentication protocol anomaly confirmed through protocol analysis showing acceptance of multiple distinct valid authentication responses. Affected product: AutomationDirect DirectLogic H2-DM1E firmware <=2.8.0. Vendor has explicitly stated end-of-life status with no remediation path for the affected product.

Official resources

2024-09-12