CVE-2024-24956 – This CVE describes an out-of-bounds write vulne... (How to Fix)

Q: What is the severity of CVE-2024-24956?

CVE-2024-24956 has a CVSS score of 8.2 (HIGH). This CVE describes an out-of-bounds write vulnerability in AutomationDirect P3-550E programming software that allows remote attackers to cause heap-based memory corruption by sending specially crafted network packets. The vulnerability can lead to arbitrary null-byte writes at a specific memory offset, potentially resulting in denial of service or remote code execution. Organizations using AutomationDirect P3-550E devices with firmware version 1.2.10.9 are affected.

📋 TL;DR

This CVE describes an out-of-bounds write vulnerability in AutomationDirect P3-550E programming software that allows remote attackers to cause heap-based memory corruption by sending specially crafted network packets. The vulnerability can lead to arbitrary null-byte writes at a specific memory offset, potentially resulting in denial of service or remote code execution. Organizations using AutomationDirect P3-550E devices with firmware version 1.2.10.9 are affected.

💻 Affected Systems

Products:

AutomationDirect P3-550E

Versions: Firmware 1.2.10.9

Operating Systems: Embedded firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability is in the Programming Software Connection FileSystem API functionality. All devices running the affected firmware version are vulnerable by default.

📦 What is this software?

P3 550e Firmware by Automationdirect

View all CVEs affecting P3 550e Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete device compromise, data exfiltration, or lateral movement within industrial control networks.

🟠

Likely Case

Denial of service causing device crashes and disruption of industrial processes, potentially requiring physical intervention to restore functionality.

🟢

If Mitigated

Limited impact if devices are isolated in segmented networks with strict firewall rules blocking unnecessary traffic.

🌐 Internet-Facing: HIGH - Network-based attack requiring only specially crafted packets, no authentication needed.

🏢 Internal Only: HIGH - Attack can be launched from any network segment with access to the device.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires crafting specific network packets but no authentication is needed. The vulnerability is well-documented with specific offset information (0xb6a38).

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not available

Restart Required: Yes

Instructions:

1. Monitor AutomationDirect security advisories for patch availability. 2. When patch is released, download from official vendor portal. 3. Apply firmware update following vendor documentation. 4. Restart device to complete installation.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate P3-550E devices in dedicated network segments with strict firewall rules

Access Control Lists

all

Implement network ACLs to restrict access to P3-550E devices to authorized IP addresses only

🧯 If You Can't Patch

Implement strict network segmentation and firewall rules to isolate affected devices from untrusted networks
Monitor network traffic for anomalous patterns and implement intrusion detection systems for the specific device communication protocols

🔍 How to Verify

Check if Vulnerable:

Check device firmware version via web interface or serial console. If version is 1.2.10.9, device is vulnerable.

Check Version:

Check via device web interface or use vendor-specific CLI commands if available

Verify Fix Applied:

After applying any future patch, verify firmware version has changed from 1.2.10.9 to a newer version.

📡 Detection & Monitoring

Log Indicators:

Device crash logs
Memory corruption errors in system logs
Unexpected device restarts

Network Indicators:

Unusual network traffic patterns to port 502 (Modbus) or other industrial protocol ports
Malformed packets targeting the FileSystem API

SIEM Query:

source="p3-550e" AND (event_type="crash" OR event_type="memory_error" OR event_type="unexpected_restart")

📊 Metadata

CVE ID: CVE-2024-24956

CVSS v3 Score: 8.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H

CWE: CWE-787

Published: May 28, 2024

Last Updated: February 12, 2025

🔗 References

https://talosintelligence.com/vulnerability_reports/TALOS-2024-1938 Exploit,Third Party Advisory
https://www.talosintelligence.com/vulnerability_reports/TALOS-2024-1938 Exploit,Third Party Advisory
https://talosintelligence.com/vulnerability_reports/TALOS-2024-1938 Exploit,Third Party Advisory
https://www.talosintelligence.com/vulnerability_reports/TALOS-2024-1938 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-24956, you might also want to check these: