Vulnerabilities Allow Hackers to Disrupt, Hijack Schneider PowerLogic Devices
Vulnerabilities discovered in some older Schneider Electric PowerLogic products can allow hackers to remotely take control of devices or disrupt them.
Schneider informed customers earlier this month that its PowerLogic EGX100 and EGX300 communication gateways are affected by six types of vulnerabilities that could be exploited to access devices, launch denial-of-service (DoS) attacks, and for remote code execution. The impacted products are part of the company’s power monitoring and control offering, but they have reached end of life.
Five of the security holes have been rated critical or high severity, and they are caused by improper input validation. They can be exploited for DoS attacks or remote code execution using specially crafted HTTP packets.
Another high-severity vulnerability is related to the password recovery mechanism and it can be exploited to gain administrator-level access to a device.
The flaws have been assigned the CVE identifiers CVE-2021-22763 through CVE-2021-22768. They were reported to Schenider by Jake Baines, principal industrial control vulnerability analyst at industrial cybersecurity firm Dragos. The issues were discovered in EGX devices, but Schneider has determined that two of the flaws also impact PowerLogic PM55xx power metering devices due to them sharing web server code.
Baines told SecurityWeek that some of the vulnerabilities he discovered could be exploited over the internet — they can be exploited remotely without authentication — and there are a small number of devices that are exposed to the web. However, he says ethernet gateways are typically not — or should not be — connected to the internet.
The researcher has described a few theoretical attack scenarios that are plausible in the real world.
“For example, CVE-2021-22763 is a backdoor account that gives full admin access to the device’s web server. As long as the attacker can reach the server, and knows the device’s ethernet address, they have full administration rights to the device. Although, this is largely only useful to an attacker to block access to the connected serial devices, so the true impact of the attack is dependent on the connected devices.
CVE-2021-22764 is a similar situation. A remote and unauthenticated adversary can send HTTP requests that will cause the device to block access to the connected serial devices.
The more interesting, but more complicated are the vulnerabilities scored 9.8. These all allow an unauthenticated and remote attacker to run arbitrary code on the device. The vulnerabilities are stack based buffer overflows, so writing a full exploit would take effort. While it’s possible that could happen, it’s unlikely that it actually has or ever will. However, the ability to run code on the device is interesting because it would allow the adversary to alter communication between the connected serial device and the monitoring/control systems.”
PowerLogic EGX100 and EGX300 products have been discontinued and are no longer supported. Customers can either replace the devices or implement mitigations recommended by the vendor to reduce the risk of exploitation.
In the case of PowerLogic PM55xx products, Schneider has started releasing firmware updates that should address the two vulnerabilities affecting these devices.