CVE-2024-22187
📋 TL;DR
CVE-2024-22187 is an unauthenticated write-what-where vulnerability in AutomationDirect P3-550E's Programming Software Connection Remote Memory Diagnostics functionality. Attackers can send specially crafted network packets to perform arbitrary memory writes, potentially leading to remote code execution. This affects P3-550E version 1.2.10.9 and potentially earlier versions.
💻 Affected Systems
- AutomationDirect P3-550E
📦 What is this software?
P1 540 Firmware by Automationdirect
P1 540 Firmware by Automationdirect
P1 550 Firmware by Automationdirect
P1 550 Firmware by Automationdirect
P2 550 Firmware by Automationdirect
P2 550 Firmware by Automationdirect
P3 530 Firmware by Automationdirect
P3 530 Firmware by Automationdirect
P3 550 Firmware by Automationdirect
P3 550 Firmware by Automationdirect
P3 550e Firmware by Automationdirect
P3 550e Firmware by Automationdirect
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete system compromise, device takeover, and lateral movement within industrial control networks.
Likely Case
Denial of service, memory corruption, or limited code execution affecting device availability and integrity.
If Mitigated
No impact if device is isolated from untrusted networks and proper network segmentation is implemented.
🎯 Exploit Status
The vulnerability is unauthenticated and network-based, making exploitation relatively straightforward for attackers with network access.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Contact AutomationDirect for updated firmware
Vendor Advisory: https://community.automationdirect.com/s/internal-database-security-advisory/a4GPE0000003yXV2AY/sa00036
Restart Required: Yes
Instructions:
1. Contact AutomationDirect support for updated firmware. 2. Backup current configuration. 3. Apply firmware update following vendor instructions. 4. Restart device. 5. Verify functionality.
🔧 Temporary Workarounds
Network Isolation
allIsolate P3-550E devices from untrusted networks using firewalls or network segmentation.
Disable Remote Diagnostics
allDisable Programming Software Connection Remote Memory Diagnostics functionality if not required.
🧯 If You Can't Patch
- Implement strict network access controls to limit access to P3-550E devices only from trusted management stations.
- Deploy network intrusion detection/prevention systems to monitor for exploit attempts targeting this vulnerability.
🔍 How to Verify
Check if Vulnerable:
Check device firmware version via Programming Software interface. If version is 1.2.10.9 or earlier, device is vulnerable.Check Version:
Use AutomationDirect Programming Software to connect to device and check firmware version in device properties.Verify Fix Applied:
Verify firmware version has been updated to a version provided by AutomationDirect that addresses this vulnerability.📡 Detection & Monitoring
Log Indicators:
- Unusual network connections to port 1962
- Memory diagnostic function errors
- Unexpected device restarts
Network Indicators:
- Network traffic to port 1962 with malformed packets
- Unusual traffic patterns to P3-550E devices
SIEM Query:
source_ip:external AND dest_port:1962 AND protocol:TCP AND (packet_size:unusual OR payload_pattern:suspicious)🔗 References
- https://community.automationdirect.com/s/internal-database-security-advisory/a4GPE0000003yXV2AY/sa00036
- https://talosintelligence.com/vulnerability_reports/TALOS-2024-1940
- https://www.talosintelligence.com/vulnerability_reports/TALOS-2024-1940
- https://community.automationdirect.com/s/internal-database-security-advisory/a4GPE0000003yXV2AY/sa00036
- https://talosintelligence.com/vulnerability_reports/TALOS-2024-1940
- https://www.talosintelligence.com/vulnerability_reports/TALOS-2024-1940
