Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

ICS/OT

Vulnerabilities Allow Hackers to Disrupt, Hijack Schneider PowerLogic Devices

Vulnerabilities discovered in some older Schneider Electric PowerLogic products can allow hackers to remotely take control of devices or disrupt them.

Vulnerabilities discovered in some older Schneider Electric PowerLogic products can allow hackers to remotely take control of devices or disrupt them.

Schneider informed customers earlier this month that its PowerLogic EGX100 and EGX300 communication gateways are affected by six types of vulnerabilities that could be exploited to access devices, launch denial-of-service (DoS) attacks, and for remote code execution. The impacted products are part of the company’s power monitoring and control offering, but they have reached end of life.

Five of the security holes have been rated critical or high severity, and they are caused by improper input validation. They can be exploited for DoS attacks or remote code execution using specially crafted HTTP packets.

PowerLogic device vulnerabilitiesAnother high-severity vulnerability is related to the password recovery mechanism and it can be exploited to gain administrator-level access to a device.

The flaws have been assigned the CVE identifiers CVE-2021-22763 through CVE-2021-22768. They were reported to Schenider by Jake Baines, principal industrial control vulnerability analyst at industrial cybersecurity firm Dragos. The issues were discovered in EGX devices, but Schneider has determined that two of the flaws also impact PowerLogic PM55xx power metering devices due to them sharing web server code.

Baines told SecurityWeek that some of the vulnerabilities he discovered could be exploited over the internet — they can be exploited remotely without authentication — and there are a small number of devices that are exposed to the web. However, he says ethernet gateways are typically not — or should not be — connected to the internet.

The researcher has described a few theoretical attack scenarios that are plausible in the real world.

“For example, CVE-2021-22763 is a backdoor account that gives full admin access to the device’s web server. As long as the attacker can reach the server, and knows the device’s ethernet address, they have full administration rights to the device. Although, this is largely only useful to an attacker to block access to the connected serial devices, so the true impact of the attack is dependent on the connected devices.

 

CVE-2021-22764 is a similar situation. A remote and unauthenticated adversary can send HTTP requests that will cause the device to block access to the connected serial devices.

Advertisement. Scroll to continue reading.

 

The more interesting, but more complicated are the vulnerabilities scored 9.8. These all allow an unauthenticated and remote attacker to run arbitrary code on the device. The vulnerabilities are stack based buffer overflows, so writing a full exploit would take effort. While it’s possible that could happen, it’s unlikely that it actually has or ever will. However, the ability to run code on the device is interesting because it would allow the adversary to alter communication between the connected serial device and the monitoring/control systems.”

PowerLogic EGX100 and EGX300 products have been discontinued and are no longer supported. Customers can either replace the devices or implement mitigations recommended by the vendor to reduce the risk of exploitation.

In the case of PowerLogic PM55xx products, Schneider has started releasing firmware updates that should address the two vulnerabilities affecting these devices.

Related: Flaws in Rockwell Software Impact Products From Schneider Electric, GE and Others

Related: Serious Vulnerabilities Found in Schneider Electric Power Meters

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.