施耐德电气的PowerLogic ION / PM智能电表中的严重安全漏洞可能使攻击者能够获得远程代码执行（RCE）的路径，或重新启动电表，从而导致设备上的拒绝服务（DoS）状态。本周披露了两个漏洞，它们存在于产品的多个版本中。第一个漏洞被跟踪为CVE-2021-22714，CVSS评分是9.8。此漏洞是一个关键的整数溢出漏洞，攻击者可以通过此漏洞向设备发送特制的TCP数据包，使其重新启动仪表或远程运行他们选择的代码，具体取决于目标设备的体系结构。在许多版本的PowerLogic ION系列电表中都存在CVE-2021-22713这个漏洞，CVSS得分为7.5，成功利用这些版本无法实现远程代码执行，只允许攻击者强制电表重新启动。
Unpatched Schneider Electric PowerLogic ION/PM smart meters are open to dangerous attacks.
Critical security vulnerabilities in Schneider Electric smart meters could allow an attacker a path to remote code execution (RCE), or to reboot the meter causing a denial-of-service (DoS) condition on the device.
Schneider Electric’s PowerLogic ION/PM smart meter product line, like other smart meters, is used by consumers in their homes, but also by utility companies that deploy these meters in order to monitor and bill customers for their services. They’re also used by industrial companies, data centers and healthcare companies.
Two vulnerabilities were disclosed this week, present in numerous versions of the products. According to Claroty, which originally found the flaws, they stem from the fact that the smart meters communicate using a proprietary ION protocol over TCP port 7700, and packets received by the device are parsed by a state machine function.
“We found that it is possible to trigger [a pre-authentication integer-overflow vulnerability] during the packet-parsing process by the main state machine function by sending a crafted request,” researchers said, in a blog posting this week. “This can be done without authentication because the request is fully parsed before it is handled or authentication is checked.”
The function that parses the incoming packet reads the number of items or characters in the string or array and the buffer, which is a fixed size, researchers explained. They discovered that they were able to fully control the size of the buffer with a DWORD that is read from the request.
The Schneider Electric PM5000 series.
A DWORD, which is short for “double word,” is a data type definition is an unsigned, 32-bit unit of data that is specific to Microsoft Windows. It can contain an integer value in the range 0 through 4,294,967,295.
“We discovered a bug in the function that is responsible for advancing the parsing buffer, we named this function advance_buffer,” according to Claroty’s analysis. “We found that the advance_buffer function always returns true, regardless of other inner functions failing and returning false. Therefore, providing any large packet size will always pass the advance_buffer function without triggering an error message or exception. Thus, Claroty researchers were able to bypass buffer checks and reach exploitation.”
Two Exploitation Paths, Two Bugs
While researching the different firmware for the smart meters, researchers found that there are two different exploitation paths that arise from improper restriction of operations within a memory buffer, depending on the specific architecture. They reported these as two different vulnerabilities.
The bug tracked as CVE-2021-22714 rates 9.8 out of 10 on the CVSS vulnerability-severity scale.
“This vulnerability [is a] critical integer-overflow vulnerability that could enable an attacker to send a specially crafted TCP packet to the device to either cause it to reboot the meter or remotely run code of their choice, depending on the architecture of the targeted device,” according to the advisory.
Schneider Electric said the affected products include:
The bug tracked as CVE-2021-22713 exists in a number of versions of the PowerLogic ION line of meters, but was assessed a CVSS score of 7.5 because successful exploitation of the versions does not enable remote code execution, and enables only an attacker to force the meter to reboot.
The list of affected products includes:
ION7400 (prior to V3.0.0)
ION9000 (prior to V3.0.0)
The vulnerability was addressed in updates released in January and March, and users are urged to move to the patched versions:
ION8650 (prior to V4.40.1)
ION7650 Hardware rev. 4 or earlier (prior to V376)
ION7650 Hardware rev. 5 (prior to V416)
ION7700/73xx (all versions)
ION83xx/84xx/8600 (all versions)
ION8650 users should update to V4.40.1, released on Jan. 4
ION8800 users should update to V372, released on March 3
ION7650 Hardware rev. 4 or earlier should update to V376, released on March 3
ION7650 Hardware rev. 5 should update to V416, released on March 3