Schneider Electric PowerLogic warns unpatched ION/PM smart meters are vulnerable to dangerous attacks and urges its customers to update their devices as soon as possible.
An attacker could abuse the flaws to remotely execute malicious code or reboot the meter to cause a denial-of-service (DoS) error.
Schneider Electric’s PowerLogic ION/PM smart meter product line, like other smart meters, is a connected IoT device and used by not only consumers in their homes, but also by utility companies to monitor and bill customers for their services.
Two vulnerabilities were disclosed last week that make numerous models of the products susceptible to attacks.
According to Claroty, an industrial cybersecurity company that originally discovered the flaws, the vulnerabilities stem from the way the smart meters communicate using a proprietary ION protocol over TCP port 7700:
“We found that it is possible to trigger [a pre-authentication integer-overflow vulnerability] during the packet-parsing process by the main state machine function by sending a crafted request,” researchers said in a blog post. “This can be done without authentication because the request is fully parsed before it is handled or authentication is checked.”
The function that parses the incoming packet reads the number of items or characters in the string or array and the buffer, which is a fixed size, researchers explained. They discovered that they were able to fully control the size of the buffer with a DWORD that is read from the request.
The researchers discovered the bug in the function that is responsible for advancing the parsing buffer, advance_buffer, as they named it.
“We found that the advance_buffer function always returns true, regardless of other inner functions failing and returning false. Therefore, providing any large packet size will always pass the advance_buffer function without triggering an error message or exception. Thus, Claroty researchers were able to bypass buffer checks and reach exploitation.”
Researchers found that there are two possible exploits that arise from improper restriction of operations within a memory buffer.
The first bug tracked as CVE-2021-22714 has a rating of 9.8 out of 10 on the CVSS vulnerability-severity scale, and the second bug tracked as CVE-2021-22713 has a CVSS score of 7.5.
The vulnerabilities were addressed in manufacturer updates, and users are urged to move to the patched versions.