CVE-2024-24956: P3-550E Firmware Buffer Overflow Flaw

CVE-2024-24956 Overview

CVE-2024-24956 is an out-of-bounds write vulnerability in the Programming Software Connection FileSystem API of the AutomationDirect P3-550E programmable logic controller (PLC) running firmware 1.2.10.9. Specially crafted network packets trigger heap-based memory corruption through an arbitrary null-byte write at firmware offset 0xb6a38. An unauthenticated attacker with network access to the controller can send malicious packets to corrupt heap memory and disrupt PLC operation. The flaw is tracked under CWE-787: Out-of-bounds Write and was disclosed by Cisco Talos in advisory TALOS-2024-1938.

Critical Impact

Unauthenticated network attackers can corrupt heap memory on the P3-550E PLC, causing denial of service or potential integrity loss in industrial control environments.

Affected Products

• AutomationDirect P3-550E CPU module
• AutomationDirect P3-550E firmware version 1.2.10.9
• Productivity3000 PLC systems using the affected CPU

Discovery Timeline

• 2024-05-28 - CVE-2024-24956 published to NVD
• 2025-02-12 - Last updated in NVD database

Technical Details for CVE-2024-24956

Vulnerability Analysis

The P3-550E exposes a Programming Software Connection FileSystem API over the network. This API parses request fields that are subsequently used to compute memory offsets and write operations on heap-allocated structures. The handler at firmware offset 0xb6a38 performs an arbitrary single-byte write of a null value 0x00 to an attacker-influenced address.

Because the write target derives from untrusted packet content without bounds enforcement, an attacker can place the null byte at locations beyond the intended buffer. This corrupts adjacent heap metadata, function pointers, or control structures used by the PLC firmware. The corruption can crash the controller or alter program logic state.

The vulnerability requires no authentication and no user interaction. Industrial protocols on PLCs frequently expose management interfaces on the operational technology (OT) network without transport-layer authentication, which broadens the exposure footprint.

Root Cause

The FileSystem API handler lacks bounds validation on offset or length fields extracted from incoming packets. Code at offset 0xb6a38 writes a null byte using an attacker-controlled index, producing the out-of-bounds write condition described in CWE-787.

Attack Vector

The attack vector is network-based. An attacker with reachability to the PLC programming port sends a crafted Programming Software Connection packet containing manipulated FileSystem API parameters. The firmware processes the packet, computes an out-of-bounds destination, and writes the null byte into adjacent heap memory. Refer to the Talos Intelligence Vulnerability Report for detailed packet structure and reproduction information.

Detection Methods for CVE-2024-24956

Indicators of Compromise

• Unexpected P3-550E reboots, watchdog resets, or fault states logged on the PLC chassis.
• Inbound TCP sessions to the Productivity3000 programming port from hosts outside the engineering workstation allowlist.
• Malformed or oversized Programming Software Connection packets captured at the OT network boundary.
• Loss of communication between SCADA/HMI and the P3-550E following anomalous network traffic.

Detection Strategies

• Deploy deep packet inspection (DPI) rules on industrial protocol traffic to flag FileSystem API requests with out-of-range offset or length fields.
• Baseline normal programming traffic between Productivity Suite workstations and PLCs, then alert on deviations in source IP, frequency, or payload size.
• Correlate PLC fault events with network telemetry to identify packet-induced crashes.

Monitoring Recommendations

• Forward PLC diagnostic logs and engineering workstation events to a central SIEM for correlation.
• Monitor span/tap traffic on the OT segment for new or unauthorized sources contacting PLC management ports.
• Track firmware version inventory across all P3-550E units to confirm patch coverage.

How to Mitigate CVE-2024-24956

Immediate Actions Required

• Restrict network access to the P3-550E programming interface using firewall rules that permit only authorized engineering workstations.
• Place affected PLCs behind a hardened OT firewall or data diode aligned with the Purdue Model.
• Audit firmware inventories and identify all P3-550E units running 1.2.10.9 or earlier.
• Disable or block remote access to the Programming Software Connection service when not in active use.

Patch Information

AutomationDirect addresses this issue in firmware releases following 1.2.10.9. Consult AutomationDirect's product support site and the Talos Intelligence Vulnerability Report for the fixed firmware version applicable to your hardware revision. Apply firmware updates during a scheduled maintenance window with verified backups of the PLC project.

Workarounds

• Segment PLCs onto dedicated VLANs with strict access control lists limiting traffic to engineering subnets.
• Implement industrial intrusion detection systems (IDS) such as Snort or Zeek with rules tuned for Productivity Suite traffic.
• Require jump-host or VPN access for any remote engineering session that interacts with the PLC.
• Enable physical key-switch protections on the PLC where supported to limit runtime program modification.

# Example firewall rule restricting P3-550E programming access to a single engineering workstation
# Replace 10.10.20.5 with the authorized workstation IP and 10.10.50.10 with the PLC IP
iptables -A FORWARD -s 10.10.20.5 -d 10.10.50.10 -p tcp --dport 9999 -j ACCEPT
iptables -A FORWARD -d 10.10.50.10 -p tcp --dport 9999 -j DROP