There is a public report of a cross site request forgery (CSRF) vulnerability with proof-of-concept (PoC) exploit code affecting Schneider Electric’s ION Power Meter products, according to a report with ICS-CERT.
Exploitation of this remotely exploitable vulnerability can allow unauthorized actions on the device, such as configuration parameter changes and saving modified configuration.
The report released while ICS-CERT was working with Schneider Electric to mitigate the vulnerability.
Schneider Electric reports the vulnerability affects the following products: ION 73xx, ION 75xx, ION 76xx, ION 8650, ION 8800, and PM5xxx.
Schneider Electric identified mitigations for this and other issues and will notify their customers. ICS-CERT issuing an alert to provide early notice of the report and identify baseline mitigations for reducing risks to these and other cybersecurity attacks.
ION Power Meter products see use in energy management applications such as feeder monitoring and sub-metering. They interface with power monitoring software or other energy management or automation systems for real-time information for monitoring and analysis.
Schneider Electric also said these devices do not force a change of password upon installation of the device. This is not a vulnerability but a deployment issue. ICS-CERT and Schneider Electric recommend users of these devices (or any other control system device) change passwords from the default settings upon installation of the product.
Click here for documentation on security configuration and device password management.
For further information on vulnerabilities in Schneider Electric’s products, click on Schneider Electric’s cybersecurity web page.
Schneider Electric offers the following mitigation device:
• Configuration parameter changes, as well as saving modified configuration can be prevented for a meter by setting the “Webserver Config Access” register to “Disabled.” This register determines whether you can configure your meter through a browser. Valid entries are Enable or Disable. This register is set to Enable by default.
• There is also an “Enable Webserver” register. This register enables or disables the webserver entirely. Values for this register are YES and NO. The webserver is enabled by default (the value is set to YES).
Some power meters may be revenue locked, which further protects unauthorized meter configuration parameter changes, except Owner, Tag1 and Tag2 string registers.