Pre-authentication integer overflow vulnerability identified in PowerLogic ION smart meter

PowerLogic ION

Researchers from industrial cybersecurity firm Claroty revealed this week the presence of a pre-authentication integer-overflow vulnerability in Schneider Electric’s PowerLogic ION firmware. Based on the specific generation, architecture, and version of the product, the security loophole could allow an attacker to remotely execute code or reboot the Schneider smart meter, causing a denial-of-service condition on the device.

These smart meters communicate using a proprietary ION protocol over TCP port 7700, and packets received by the device are parsed by a state machine function. “We found that It is possible to trigger the flaw during the packet-parsing process by the main state machine function by sending a crafted request,” wrote Tal Keren and Rei Henigman, Claroty’s researchers in a blog post. “This can be done without authentication because the request is fully parsed before it is handled or authentication is checked.”

The researchers decided to focus on the flow that parses strings and arrays. “The function that parses the incoming packet reads the number of items or characters in the string or array and the buffer, which is a fixed size. We can fully control the size of the buffer with a DWORD that is read from the request,” they wrote.

“We discovered a bug in the function that is responsible for advancing the parsing buffer, we named this function advance_buffer,” the researchers added. “We found that the advance_buffer function always returns true, regardless of other inner functions failing and returning false. Therefore, providing any large packet size will always pass the advance_buffer function without triggering an error message or exception.”

The buffer is then allocated on the stack and the data is copied. The same integer overflow bug also exists on the stack, and will return a valid address, and will point to an invalid location, they wrote.

Schneider Electric credited the Claroty researchers for identifying and helping to coordinate a response to the vulnerability.

Following the detailed investigation, Claroty researchers discovered the presence of two different exploitation paths depending on the specific architecture and reported these as two different vulnerabilities to the French multinational, which specializes in energy management and automation offerings.

Schneider Electric issued an advisory relating to the vulnerability in its PowerLogic ION7400, PM8000 and ION9000 metering products, which are revenue and power quality meters for utility and industrial electrical network monitoring.

With a CVSS score of 9.8, the improper restriction of operations within a memory buffer vulnerability can cause the meter to reboot or allow for remote code execution. This will enable an attacker to send a specially crafted TCP packet to the device to either cause it to reboot the meter or remotely run code of their choice, depending on the architecture of the targeted device.

Schneider Electric said the affected products include PowerLogic ION 7400 (prior to V3.0.0), ION9000 (prior to V3.0.0), and PM8000 (prior to V3.0.0). It remediated the issue with the July 2020 release of V3.0.0, and users are advised to update.

A similar vulnerability prevails in a number of versions of the Schneider Electric’s PowerLogic ION line of meters, but was assessed a CVSS score of 7.5, as the exploitation of the versions does not enable remote code execution, and only permits the hacker to force the meter to reboot. Schneider Electric said that the ION7700/73xx and ION83xx/84xx/85xx/8600 products are no longer supported with updates and that users should upgrade to supported versions.

Schneider Electric detected last week the existence of several vulnerabilities in its EcoStruxure Building Operation portfolio, deployed in the critical infrastructure sector. The flaws detected were unrestricted upload of dangerous file types, cross-site scripting, improper restriction of XML external entity reference, improper access control, and Windows unquoted search path. These vulnerabilities may allow unauthorized file uploads and command execution by a remote user, which could result in loss of availability, confidentiality, and integrity of the workstation.

In January, Schneider Electric found out-of-bounds read and write, and classic buffer overflow security flaws in the web servers of its Modicon M340, Quantum and Premium equipment deployed in critical infrastructure. If successfully exploited, the Schneider Electric Security flaws may allow write access and the execution of commands, which could result in data corruption or a web server crash.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related