Rockwell Automation industrial energy meter vulnerable to public exploits

A low-skilled, remote attacker could use publicly available exploits to gain access to and mess with a power monitor by Rockwell Automation that is used by energy companies worldwide, ICS-CERT warns.

Rockwell Automation industrial energy meter flaw

All versions of Rockwell Automation’s Allen-Bradley PowerMonitor 1000 are vulnerable and there is currently no available fix for the flaws.

About the vulnerabilities and available exploits

PowerMonitor 1000 is an energy metering device used in industrial control applications, such as destribution centers, industrial control panels, and motor control centers.

It measures voltage and current in an electrical circuit and communicates power and energy parameters to applications such as FactoryTalk EnergyMetrixTM, SCADA systems, and programmable controllers, over Ethernet or serial networks.

The discovered vulnerabilities are two:

  • CVE-2019-19615, a cross-site scripting flaw that coula allow a remote attacker to inject arbitrary code into a targeted user’s web browser to gain access to the affected device
  • CVE-2019-19616, an authentication bypass that could allow a remote attacker to use a proxy to enable functionality that is typically available to those with administrative rights for the web application. Once the authentication is bypassed, the attacker can change user settings and the device configuration.

Luca Chiou of ACSI, who has been credited with finding and reporting both flaws to the NCCIC (National Cybersecurity & Communications Integration Center), has also released PoC exploits for both of them (1, 2).

Of the two, the latter is currently more dangerous, as it appears that attackers might already be using it.

“Rockwell Automation is currently working on mitigations and reports that CheckPoint Software Technologies has released IPS rules to detect attempts to exploit CVE-2019-19615,” ICS-CERT explained.

Until fixes are provided, they advise administrators to ensure that the affected devices are not accessible from the Internet, are located behind firewall and isolated from the business network.