Two remotely exploitable vulnerabilities, one of which can lead to remote code execution, have been found in Schneider Electric’s ION Power Meter products and FENIKS PRO Elnet Energy Meters.
What’s more, security researcher Karn Ganeshen, who discovered the flaws, published in detail his findings after the companies kept dragging their feet when it came to fixing the problems or updating him of their progress.
The Industrial Control Systems Cyber Emergency Response Team has released alerts for both vulnerabilities because of this.
But while Schneider Electric has worked with ICS-CERT, acknowledged the existence of the CSCR flaw affecting several of its power meters (that are used in energy management applications such as feeder monitoring and sub-metering), and has identified mitigations that will share with their customers, FENIKS PRO has yet to acknowledge the problem.
According to the alert, the company’s Elnet LT power meters for electrical measurements and harmonics can be managed by attackers remotely without authentication.
For mitigating attacks on both types of devices, ICS-CERT advises making sure that they are not accessible from the Internet, are put behing firewalls and are isolated from any business network, and that legitimate users use secure methods (such as VPNs) to remotely access the devices. Also, when a security update is made available, to first test it in a test development environment and then implement it if everything works as it should.
In addition to this, Schneider Electric has advised users of its ION power meters to disable several features (Webserver Config Access, Enable Webserver) that allow users – or attackers – to modify the devices’ configuration through a browser.
“Some power meters may be revenue locked, which further protects unauthorized meter configuration parameter changes, except Owner, Tag1 and Tag2 string registers,” they added.
Finally, they’ve also advised users to change passwords from the default settings upon installation of the product.