AutomationDirect Productivity PLCs

Act Now9.8ICS-CERT ICSA-24-144-01May 23, 2024

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

AutomationDirect Productivity PLCs contain multiple memory corruption vulnerabilities (CWE-805, CWE-787, CWE-121, CWE-284, CWE-489, CWE-345) that allow remote code execution and denial of service. The affected product families are Productivity 3000, Productivity 2000, and Productivity 1000 series CPUs. An attacker can send specially crafted network packets to exploit these flaws without authentication, potentially gaining the ability to execute arbitrary code on the PLC.

What this means

What could happen

An attacker with network access to a Productivity PLC can execute arbitrary code on the device, potentially altering process parameters, stopping operations, or causing equipment damage. The vulnerability affects PLCs used to control manufacturing processes and could impact production availability and safety.

Who's at risk

Manufacturing facilities using AutomationDirect Productivity PLCs (models P3-530, P3-550, P3-550E, P2-550, P1-540, P1-550) for equipment control and process automation. This includes discrete manufacturing, process industries, and any facility relying on these PLCs for critical operations.

How it could be exploited

An attacker would send a specially crafted network packet to the vulnerable PLC's network interface. The packet exploits a buffer overflow or similar memory corruption flaw that allows injection of code into the PLC's memory. Once executed, the attacker's code runs with the PLC's privileges and can interact with controlled equipment and sensors.

Prerequisites

Network access to the PLC on its management or control port
No authentication credentials required to trigger the vulnerability
The PLC must be running one of the affected firmware or software versions listed

Remotely exploitableNo authentication requiredLow complexity attackHigh CVSS score (9.8)Memory corruption vulnerabilities (buffer overflow, out-of-bounds write)No patch available for affected versionsAffects industrial control devices

Exploitability

Moderate exploit probability (EPSS 1.2%)

Affected products (12)

12 EOL

ProductAffected VersionsFix Status

Productivity 3000 P3-550E CPU: FW_1.2.10.9FW 1.2.10.9No fix (EOL)

Productivity 3000 P3-550 CPU: FW_1.2.10.9FW 1.2.10.9No fix (EOL)

Productivity 3000 P3-530 CPU: FW_1.2.10.9FW 1.2.10.9No fix (EOL)

Productivity 3000 P3-530 CPU: SW_4.1.1.10SW 4.1.1.10No fix (EOL)

Productivity 2000 P2-550 CPU: FW_1.2.10.10FW 1.2.10.10No fix (EOL)

Productivity 2000 P2-550 CPU: SW_4.1.1.10SW 4.1.1.10No fix (EOL)

Productivity 1000 P1-550 CPU: FW_1.2.10.10FW 1.2.10.10No fix (EOL)

Productivity 1000 P1-540 CPU: FW_1.2.10.10FW 1.2.10.10No fix (EOL)

Remediation & Mitigation

0/5

Do now

0/1

WORKAROUNDPhysically disconnect the PLC from external networks (internet, LANs, interconnected systems) if firmware updates are not available

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Productivity Suite programming software to version 4.2.0.x or higher

HOTFIXUpdate PLC firmware to the latest available version from AutomationDirect

HARDENINGConfigure firewall rules and network access control policies to block all incoming and outgoing traffic to the PLC except from authorized engineering workstations

Mitigations - no patch available

0/1

The following products have reached End of Life with no planned fix: Productivity 3000 P3-550E CPU: FW_1.2.10.9, Productivity 3000 P3-550 CPU: FW_1.2.10.9, Productivity 3000 P3-530 CPU: FW_1.2.10.9, Productivity 3000 P3-530 CPU: SW_4.1.1.10, Productivity 2000 P2-550 CPU: FW_1.2.10.10, Productivity 2000 P2-550 CPU: SW_4.1.1.10, Productivity 1000 P1-550 CPU: FW_1.2.10.10, Productivity 1000 P1-540 CPU: FW_1.2.10.10, Productivity 3000 P3-550E CPU: SW_4.1.1.10, Productivity 3000 P3-550 CPU: SW_4.1.1.10, Productivity 1000 P1-550 CPU: SW_4.1.1.10, Productivity 1000 P1-540 CPU: SW_4.1.1.10. Apply the following compensating controls:

HARDENINGImplement network segmentation to isolate the PLC from other devices and systems within the organization

CVEs (15)

CVE-2024-24851 CVE-2024-24946 CVE-2024-24947 CVE-2024-24954 CVE-2024-24955 CVE-2024-24956 CVE-2024-24957 CVE-2024-24958 CVE-2024-24959 CVE-2024-24962 CVE-2024-24963 CVE-2024-22187 CVE-2024-23315 CVE-2024-21785 CVE-2024-23601

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/807a8b20-45a0-4009-94b6-5ab35e59e8a3