Schneider Electric created instructions to mitigate a cross-site request forgery (CSRF) and no access control vulnerabilities in its IONXXXX series power meters, according to a report with ICS-CERT.
These vulnerabilities, discovered by independent researcher Karn Ganeshen, are remotely exploitable.
The following IONXXXX series power meter versions suffer from the issue:
• ION73XX series
• ION75XX series
• ION76XX series
• ION8650 series
• ION8800 series
• PM5XXX series
An unauthorized user can access the device management portal and make configuration changes.
Schneider Electric’s corporate headquarters is in Paris, France, and maintains offices in more than 100 countries worldwide.
The affected products, IONXXXX series power meters, provide power and energy monitoring. These products end up deployed across several sectors including critical manufacturing, energy, and water and wastewater systems. Schneider Electric said these products see use on a global basis.
There is no CSRF Token generated to authenticate the user during a session. Successful exploitation of this vulnerability can allow unauthorized configuration changes to be made and saved.
CVE-2016-5809 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 8.8.
In addition, no authentication is configured by default. An unauthorized user can access the device management portal and make configuration changes.
CVE-2016-5815 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 8.1.
No known public exploits specifically target these vulnerabilities. However, an attacker with a low skill would be able to exploit these vulnerabilities.
Click here for Schneider Electric’s security notice SEVD-2016-256-02.
Schneider Electric recommends the following mitigations:
• Change configuration parameter by setting the “Webserver Config Access” register to “Disabled.” This register determines whether the user can configure the meter through a browser. Valid entries are Enable or Disable. This register is set to Enable by default.
• Change the “Enable Webserver” register. This register enables or disables the webserver entirely. Values for this register are YES and NO. The web server is enabled by default (the value is set to YES). Some power meters may be revenue locked, which further protects unauthorized meter configuration parameter changes except Owner, Tag1, and Tag2 string registers.