Critical vulnerabilities patched by Rockwell Automation in its Allen-Bradley PowerMonitor 1000 product could allow remote hackers to breach an organization’s industrial systems and cause disruption or gain further access.
The existence of the vulnerabilities came to light this week when Rockwell Automation and the cybersecurity agency CISA released security advisories.
PowerMonitor 1000 is a compact power monitor for load profiling, cost allocation, and energy control. The device can be integrated with other energy monitoring systems and it can easily communicate with other Rockwell industrial control systems (ICS).
Three types of vulnerabilities were discovered in the power monitor, and each of them has been assigned a ‘critical severity’ rating. One of them, CVE-2024-12371, has been described as a device takeover issue.
“This vulnerability allows configuration of a new Policyholder user without any authentication via API. Policyholder user is the most privileged user that can perform edit operations, creating admin users and performing factory reset,” Rockwell explained in its advisory.
The second flaw, CVE-2024-12372, can be exploited for DoS attacks and possibly for remote code execution, while the third, CVE-2024-12373, can be exploited for DoS attacks.
The security holes impact PowerMonitor 1000 devices running versions of the firmware prior to 4.020, which contains patches.
Vera Mens, a security researcher from Team82 of industrial and IoT cybersecurity firm Claroty, who has been credited for responsibly disclosing the vulnerabilities to Rockwell, told SecurityWeek that they have identified — using web scanning services — dozens of vulnerable PowerMonitor devices that are exposed to the internet.
“We strongly encourage asset owners to promptly update their firmware to ensure full protection,” Mens said.
The researcher noted that the exploitation of these vulnerabilities does not require any authentication — an attacker can target devices after gaining access to the targeted organization’s internal network or directly from the web in the case of internet-exposed devices.
“Exploiting these vulnerabilities could result in several impacts, including denial of service, authentication bypass, and remote code execution. For example, a denial of service on a device like the PowerMonitor 1000, which is used to monitor power usage in a manufacturing environment, could disrupt the supply chain by preventing accurate tracking of energy consumption, ultimately halting production,” Mens explained.
“In addition, remote code execution could give an attacker full control over the device, potentially compromising the entire network,” the researcher added.
Claroty has published individual advisories for each of the PowerMonitor 1000 vulnerabilities: CVE-2024-12373, CVE-2024-12371 and CVE-2024-12372.
Related: Watch Now: Navigating Your OT Cybersecurity Journey: From Assessment to Implementation
Related: US Water Facilities Urged to Secure Access to Internet-Exposed HMIs
Related: Iranian Hackers Use IOCONTROL Malware to Target OT, IoT Devices in US, Israel
