CVE-2024-23601
A code injection vulnerability exists in the scan_lib.bin functionality of AutomationDirect P3-550E 1.2.10.9. A specially crafted scan_lib.bin can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability.
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
AutomationDirect P3-550E 1.2.10.9
9.8 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE-345 - Insufficient Verification of Data Authenticity
The P3-550E is the most recent CPU module released in the Productivity3000 line of Programmable Automation Controllers from AutomationDirect. It is an affordable control CPU which communicates remotely via ethernet, serial, and USB and exposes a variety of control services, including MQTT, Modbus, ENIP and the engineering workstation protocol DirectNET.
The P3-550E executes ‘Projects’ compiled by the engineering workstation software from ladder logic which is subsequently downloaded onto the device for execution. The representation for these ladder logic programs on the device is structured as $HEADER $OPCODE [$PARAM1] [$PARAM2] [...] where HEADER is OPCODE is actually an index into an array of statically compiled ‘functions’ that implement the ladder logic element in use. For example, every ladder logic program starts with the following directive: dad8 01f8 0000 000e 0000 0010 0000 0018 which indicates that the program should call the function at offset 0x1f8 into a global static function table. Using this method to resolve ladder logic functionality allows for the ladder logic to be generally agnostic to the underlying hardware and revisions, and also allows for the static library of ladder logic functionality to be updated on-the-fly and without having to update the device’s firmware.
All of these features are implemented within a statically compiled binary named scan_lib.bin. Every time that a project is compiled and downloaded onto the P3-550E a copy of scan_lib.bin is shipped to the device and loaded into memory at a specified address, and the firmware will call into this binary when executing the ladder logic instructions.
The vulnerability arises from the fact that the only validation occuring against the provided file is a CRC16 which can be easily recalculated after any malicious modifications. This allows a remote attacker to modify the scan_lib.bin on a device to contain malicious code. This code can be configured to run immediately upon being loaded, or when a specific function is executed, or any other imaginable condition is met.
A CISA advisory can be found here: https://www.cisa.gov/news-events/ics-advisories/icsa-24-144-01
2024-02-14 - Initial Vendor Contact
2024-02-15 - Vendor Disclosure
2024-05-23 - Vendor Patch Release
2024-05-28 - Public Release
Discovered by Matt Wiseman of Cisco Talos.