Tuesday, September 6, 2016

[ICS] Multiple vulnerabilities - Powerlogic/Schneider Electric IONXXXX series Smart Meters


Powerlogic/Schneider Electric IONXXXX series - Multiple security issues

Impacted devices:

ION7300 and potentially all IONXXXX models (based off of Powerlogic) 

The following IONXXXX series power meter versions are affected:

  • ION73XX series,
  • ION75XX series,
  • ION76XX series,
  • ION8650 series,
  • ION8800 series, and
  • PM5XXX series.

For example, Power Measurement Ltd. Meter ION 7330V283 ETH ETH7330V274 

http://www.schneider-electric.com/download/hk/en/details/2254511-ETH-7330-V274/?reference=ETH7330V274 

About 
Power & Energy Monitoring System 
Compact energy and power quality meters for feeders or critical loads 

The PowerLogic ION7300 series meters help you: 
• reduce energy and operations costs 
• improve power quality, reliability and uptime 
• optimize equipment use 
for optimal management of your electrical installation and greater productivity 

Used in enterprise energy management applications such as feeder monitoring and sub-metering, ION7300 Series meters offer unmatched value, functionality, and ease of use. ION7300 Series meters interface to PowerLogic StrxureWare software or other automation systems to give all users fast information sharing and analysis. 

ION7300 Series meters are an ideal replacement for analogue meters, with a multitude of power and energy measurements, analogue and digital I/O, communication ports, and industry-standard protocols. The ION7330 meter has on-board data storage, emails of logged data, and an optional modem. The ION7350 meter is further augmented by more sophisticated power quality analysis, alarms and a call-back-on-alarm feature. 

Applications 
- Power monitoring and control operations. 
- Power quality analysis. 
- Cost allocation and billing. 
- Demand and power factor control. 
- Load studies and circuit optimisation. 
- Equipment monitoring and control. 
- Preventive maintenance. 

Rebranded or used as is, by different organizations:

Canada 
Telus Mobility 
Futureway Communications 
Radiant Communications 
Acadia University 
Loyalist College 
Seneca College 
TBayTel 

Mexico 
Universidad Nacional Autonoma de Mexico 

USA 
Frontier Communications 
Cox Communications 
Avon Old Farms School 
University of Pennsylvania 
Princeton University 
City of Glenwood Springs, Electric Department 
University of California, Santa Cruz 
City of Thomasville Utilities 
Comcast Cable 
Verizon Wireless 
City Of Hartford 
AT&T Internet Services 
CNS-Internet 
Comcast Business Communications 
AT&T U-verse 

+++++
Reported to vendor - May 2016
- vendor team confirmed the issues in multiple models, & vendor poc ceased communication later.

Reported to ICS-CERT - July 2016
Advisory published Nov 2016
https://ics-cert.us-cert.gov/advisories/ICSA-16-308-03

CVE-IDs
CVE-2016-5809
CVE-2016-5815
+++++

Vulnerabilities 

HTTP Web Management portal 
Provides stats for Monitor Energy, Revenue, Peak Demand, Voltage Disturbances. 

No access controlby default no Authentication is configured, to access device’s web management portal. 

An unauthorized user can access the device management portal and make config changes. This can further be exploited easily at a mass scale, with scripting, and submitting device configuration changes via a specific POST request. 

I suspect it may also be possible to cause denial of service on these devices, as well as additional devices - which directly or indirectly accept / send data to/from these meters - by submitting varying amounts of invalid / junk data. 

Vulnerable to Cross-Site Request Forgery 

There is no CSRF Token generated per page and / or per (sensitive) function. Successful exploitation of this vulnerability can allow silent execution of unauthorized actions on the device such as configuration parameter changes, and saving modified configuration. 

Successful exploitation of these vulnerabilities allow silent execution of unauthorized actions on the device specifically modifying parameter configurations – voltage modes, polarity, voltage units, current units, interval values -, and submitting configuration changes to meter. 

Front Panel security (Physical) 

Weak Credential Management – Default meter password is factory-set to 00000mandatory default password change is not enforced. 

Front panel meter security lets you configure the meter through the front panel using a meter password. 

Front panel meter security is enabled by default on all ION7300 series meters; all configuration functions in the front panel are password‐protected. 

The password is factory‐set to 0 (zero)

Telnet 

Weak Credentials Management 
- Default accounts - different models come with corresponding login creds - documented in the powerlogic admin guide - http://www.powerlogic.com/literature/70072-0102-05.pdf 
- Application does not enforce a mandatory default password change 

For example, for ION7300, default creds are: 
User - 7300 
Password – 0 (<— zero)

+++++


No comments:

Post a Comment

Disclaimer

The views, information & opinions expressed in this blog are my own and do not reflect the views of my current or former employers or employees or colleagues.