Critical Security Hole Can Knock Smart Meters Offline
Reading Time: 1 Minute
Critical security vulnerabilities in Schneider Electric smart meters could allow an attacker a path to remote code execution (RCE), or to reboot the meter causing a denial-of-service (DoS) condition on the device.
Schneider Electric’s PowerLogic ION/PM smart meter product line, like other smart meters, is used by consumers in their homes, but also by utility companies that deploy these meters in order to monitor and bill customers for their services. They’re also used by industrial companies, data centers and healthcare companies.
Two vulnerabilities were disclosed this week, present in numerous versions of the products. According to Claroty, which originally found the flaws, they stem from the fact that the smart meters communicate using a proprietary ION protocol over TCP port 7700, and packets received by the device are parsed by a state machine function.
“We found that it is possible to trigger [a pre-authentication integer-overflow vulnerability] during the packet-parsing process by the main state machine function by sending a crafted request,” researchers said, in a blog posting this week. “This can be done without authentication because the request is fully parsed before it is handled or authentication is checked.”
We found that it is possible to trigger [a pre-authentication integer-overflow vulnerability] during the packet-parsing process by the main state machine function by sending a crafted request,” researchers said, in a blog posting this week. “This can be done without authentication because the request is fully parsed before it is handled or authentication is checked.”
The function that parses the incoming packet reads the number of items or characters in the string or array and the buffer, which is a fixed size, researchers explained. They discovered that they were able to fully control the size of the buffer with a DWORD that is read from the request.
A DWORD, which is short for “double word,” is a data type definition is an unsigned, 32-bit unit of data that is specific to Microsoft Windows. It can contain an integer value in the range 0 through 4,294,967,295.
“We discovered a bug in the function that is responsible for advancing the parsing buffer, we named this function advance_buffer,” according to Claroty’s analysis. “We found that the advance_buffer function always returns true, regardless of other inner functions failing and returning false. Therefore, providing any large packet size will always pass the advance_buffer function without triggering an error message or exception. Thus, Claroty researchers were able to bypass buffer checks and reach exploitation.”
See Also: Offensive Security Tool: Skipfish
See Also: Hacking Stories: Albert Gonzalez & the ‘Get Rich or Die Trying’ Crew who stole 130 million credit-card numbers
The list of affected products includes:
- ION8650 (prior to V4.40.1)
- ION8800 (prior to V372)
- ION7650 Hardware rev. 4 or earlier (prior to V376)
- ION7650 Hardware rev. 5 (prior to V416)
- ION7700/73xx (all versions)
- ION83xx/84xx/8600 (all versions)
The vulnerability was addressed in updates released in January and March, and users are urged to move to the patched versions:
- ION8650 users should update to V4.40.1, released on Jan. 4
- ION8800 users should update to V372, released on March 3
- ION7650 Hardware rev. 4 or earlier should update to V376, released on March 3
- ION7650 Hardware rev. 5 should update to V416, released on March 3
Source: https://threatpost.com
(Click Link)