CVE-2024-23601

Published: May 28, 2024Modified: Feb 12, 2025

9.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: CNA (Secondary)

Description

A code injection vulnerability exists in the scan_lib.bin functionality of AutomationDirect P3-550E 1.2.10.9. A specially crafted scan_lib.bin can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability.

Affected (12)

Products: Automationdirect: P3 550e Firmware, P3 550 Firmware, P3 530 Firmware, P2 550 Firmware, P1 550 Firmware, P1 540 Firmware

6 products

Configuration A

2 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Automationdirect P3 550e Firmware	Version 1.2.10.9
Automationdirect P3 550e Firmware	Version 4.1.1.10

Running on/with	Platform Versions
Automationdirect P3 550e	All versions

Configuration B

2 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Automationdirect P3 550 Firmware	Version 1.2.10.9
Automationdirect P3 550 Firmware	Version 4.1.1.10

Running on/with	Platform Versions
Automationdirect P3 550	All versions

Configuration C

2 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Automationdirect P3 530 Firmware	Version 1.2.10.9
Automationdirect P3 530 Firmware	Version 4.1.1.10

Running on/with	Platform Versions
Automationdirect P3 530	All versions

Configuration D

2 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Automationdirect P2 550 Firmware	Version 1.2.10.10
Automationdirect P2 550 Firmware	Version 4.1.1.10

Running on/with	Platform Versions
Automationdirect P2 550	All versions

Configuration E

2 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Automationdirect P1 550 Firmware	Version 1.2.10.10
Automationdirect P1 550 Firmware	Version 4.1.1.10

Running on/with	Platform Versions
Automationdirect P1 550	All versions

Configuration F

2 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Automationdirect P1 540 Firmware	Version 1.2.10.10
Automationdirect P1 540 Firmware	Version 4.1.1.10

Running on/with	Platform Versions
Automationdirect P1 540	All versions

Related CWEs

CWE-345

Insufficient Verification of Data Authenticity

The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.

CWE-94

Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

References (6)

https://community.automationdirect.com/s/internal-database-security-advisory/a4GPE0000003ycL2AQ/sa00039

Source: talos-cna@cisco.com

Vendor Advisory

https://talosintelligence.com/vulnerability_reports/TALOS-2024-1943

Source: talos-cna@cisco.com

Third Party Advisory

https://www.talosintelligence.com/vulnerability_reports/TALOS-2024-1943

Source: talos-cna@cisco.com

Third Party Advisory

https://community.automationdirect.com/s/internal-database-security-advisory/a4GPE0000003ycL2AQ/sa00039

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

https://talosintelligence.com/vulnerability_reports/TALOS-2024-1943

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://www.talosintelligence.com/vulnerability_reports/TALOS-2024-1943

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

Timeline

No history available yet.