Critical security vulnerabilities in Schneider Electric smart meters could allow an attacker a path to remote code execution (RCE), or to reboot the meter causing a denial-of-service (DoS) condition on the device.
Schneider Electric’s PowerLogic ION/PM smart meter product line, like other smart meters, is used by consumers in their homes, but also by utility companies that deploy these meters in order to monitor and bill customers for their services. They’re also used by industrial companies, data centers and healthcare companies.
Two vulnerabilities were disclosed this week, present in numerous versions of the products. According to Claroty, which originally found the flaws, they stem from the fact that the smart meters communicate using a proprietary ION protocol over TCP port 7700, and packets received by the device are parsed by a state machine function.
“We found that it is possible to trigger [a pre-authentication integer-overflow vulnerability] during the packet-parsing process by the main state machine function by sending a crafted request,” researchers said, in a blog posting this week. “This can be done without authentication because the request is fully parsed before it is handled or authentication is checked.”
The function that parses the incoming packet reads the number of items or characters in the string or array and the buffer, which is a fixed size, researchers explained. They discovered that they were able to fully control the size of the buffer with a DWORD that is read from the request.
A DWORD, which is short for “double word,” is a data type definition is an unsigned, 32-bit unit of data that is specific to Microsoft Windows. It can contain an integer value in the range 0 through 4,294,967,295.
“We discovered a bug in the function that is responsible for advancing the parsing buffer, we named this function advance_buffer,” according to Claroty’s analysis. “We found that the advance_buffer function always returns true, regardless of other inner functions failing and returning false. Therefore, providing any large packet size will always pass the advance_buffer function without triggering an error message or exception. Thus, Claroty researchers were able to bypass buffer checks and reach exploitation.”
Two Exploitation Paths, Two Bugs
While researching the different firmware for the smart meters, researchers found that there are two different exploitation paths that arise from improper restriction of operations within a memory buffer, depending on the specific architecture. They reported these as two different vulnerabilities.
The bug tracked as CVE-2021-22714 rates 9.8 out of 10 on the CVSS vulnerability-severity scale.
“This vulnerability [is a] critical integer-overflow vulnerability that could enable an attacker to send a specially crafted TCP packet to the device to either cause it to reboot the meter or remotely run code of their choice, depending on the architecture of the targeted device,” according to the advisory.
Schneider Electric said the affected products include:
- ION7400 (prior to V3.0.0)
- ION9000 (prior to V3.0.0)
- PM8000 (prior to V3.0.0)
The bug tracked as CVE-2021-22713 exists in a number of versions of the PowerLogic ION line of meters, but was assessed a CVSS score of 7.5 because successful exploitation of the versions does not enable remote code execution, and enables only an attacker to force the meter to reboot.
The list of affected products includes:
- ION8650 (prior to V4.40.1)
- ION8800 (prior to V372)
- ION7650 Hardware rev. 4 or earlier (prior to V376)
- ION7650 Hardware rev. 5 (prior to V416)
- ION7700/73xx (all versions)
- ION83xx/84xx/8600 (all versions)
The vulnerability was addressed in updates released in January and March, and users are urged to move to the patched versions:
- ION8650 users should update to V4.40.1, released on Jan. 4
- ION8800 users should update to V372, released on March 3
- ION7650 Hardware rev. 4 or earlier should update to V376, released on March 3
- ION7650 Hardware rev. 5 should update to V416, released on March 3
Check out our free upcoming live webinar events – unique, dynamic discussions with cybersecurity experts and the Threatpost community:
- March 24: Economics of 0-Day Disclosures: The Good, Bad and Ugly (Learn more and register!)
- April 21: Underground Markets: A Tour of the Dark Economy (Learn more and register!)