Claroty uncovers vulnerabilities in Schneider Electric smart meters


Vulnerabilities reported in smart meters have put vendors and utilities on notice in the past about the risks posed by these security shortcomings. Not only can these flaws impact consumers who have these industrial internet-of-things (IIoT) devices installed in their homes, but also the utility companies that deploy these meters in order to accurately monitor and bill customers for their services.

Claroty researchers recently examined the security of Schneider Electric’s PowerLogic ION/PM smart meter product line and have disclosed two vulnerabilities present in numerous versions of the product. Schneider Electric sells these meters to organisations in numerous industries beyond utility networks including, industrial companies, data centers, and healthcare. The company touts organisations’ ability to use these devices to improve reliability, minimise downtime, and analyse events to improve efficiency.

Schneider Electric has addressed these issues, and published advisories explaining the vulnerabilities, and also provided remediations. Users are urged to update their affected devices immediately.

Claroty’s research

Claroty’s research into the ION/PM smart meter firmware uncovered a pre-authentication integer-overflow vulnerability that, depending on the specific generation, architecture, and version of the product, could allow an attacker to remotely execute code or reboot the meter, causing a denial-of-service condition on the device.

These smart meters communicate using a proprietary ION protocol over TCP port 7700, and packets received by the device are parsed by a state machine function. Claroty found that it is possible to trigger the flaw during the packet-parsing process by the main state machine function by sending a crafted request. This can be done without authentication because the request is fully parsed before it is handled or authentication is checked. Essentially, Claroty researchers were able to bypass buffer checks and reach exploitation.

Claroty discovered there are two different exploitation paths depending on the specific architecture, which have been reported as two different vulnerabilities and detailed below.

Improper Restriction of Operations Within a Memory Buffer
Schneider Electric Advisory

This vulnerability was assessed a CVSS score of 9.8, a critical integer overflow vulnerability that could enable an attacker to send a specially crafted TCP packet to the device to either cause it to reboot the meter or remotely run code of their choice, depending on the architecture of the targeted device.

Schneider Electric said the affected products include ION7400 (prior to V3.0.0), ION9000 (prior to V3.0.0), and PM8000 (prior to V3.0.0).

Improper Restriction of Operations Within a Memory Buffer
Schneider Electric Advisory

The same vulnerability also exists in a number of versions of the PowerLogic ION line of meters, but was assessed a CVSS score of 7.5 because successful exploitation of the versions does not enable remote code execution, and enables only an attacker to force the meter to reboot.

The list of affected products is as follows:

  • ION8650 (prior to V4.40.1)
  • ION8800 (prior to V372)
  • ION7650 Hardware rev. 4 or earlier (prior to V376)
  • ION7650 Hardware rev. 5 (prior to V416)
  • ION7700/73xx (all versions)
  • ION83xx/84xx/8600 (all versions)

The vulnerability was addressed in updates released in January and March, and users are urged to move to the patched versions.

  • ION8650 users should update to V4.40.1, released on Jan. 4.
  • ION8800 users should update to V372, released on March 3.
  • ION7650 Hardware rev. 4 or earlier should update to V376, released on March 3.
  • ION7650 Hardware rev. 5 should update to V416, released on March 3.

Schneider Electric said that the ION7700/73xx and ION83xx/84xx/85xx/8600 products are no longer supported with updates. Therefore, users should upgrade to supported versions immediately.