Powerlogic / Schneider Electric IONXXXX CSRF / Missing Access Controls

2016-09-07T00:00:00
ID PACKETSTORM:138635
Type packetstorm
Reporter Karn Ganeshen
Modified 2016-09-07T00:00:00

Description

                                        
                                            `*Powerlogic/Schneider Electric IONXXXX series Smart Meters - Multiple  
security issues*  
  
*Impacted devices:*  
  
*ION7300 and potentially all IONXXXX models (based off of Powerlogic) *For  
example, Power Measurement Ltd. Meter ION 7330V283 ETH ETH7330V274  
http://www.schneider-electric.com/download/hk/en/details/2254511-ETH-7330-V274/?reference=ETH7330V274  
  
  
*About*  
Power & Energy Monitoring System  
Compact energy and power quality meters for feeders or critical loads  
  
The PowerLogic ION7300 series meters help you:  
aC/ reduce energy and operations costs  
aC/ improve power quality, reliability and uptime  
aC/ optimize equipment use  
for optimal management of your electrical installation and greater  
productivity  
  
Used in enterprise energy management applications such as feeder monitoring  
and sub-metering, ION7300 Series meters offer unmatched value,  
functionality, and ease of use. ION7300 Series meters interface to  
PowerLogic StrxureWare software or other automation systems to give all  
users fast information sharing and analysis.  
  
ION7300 Series meters are an ideal replacement for analogue meters, with a  
multitude of power and energy measurements, analogue and digital I/O,  
communication ports, and industry-standard protocols. The ION7330 meter has  
on-board data storage, emails of logged data, and an optional modem. The  
ION7350 meter is further augmented by more sophisticated power quality  
analysis, alarms and a call-back-on-alarm feature.  
  
*Applications*  
- Power monitoring and control operations.  
- Power quality analysis.  
- Cost allocation and billing.  
- Demand and power factor control.  
- Load studies and circuit optimisation.  
- Equipment monitoring and control.  
- Preventive maintenance.  
  
*Rebranded or used as is, by different organizations *  
  
*Canada*  
Telus Mobility  
Futureway Communications  
Radiant Communications  
Acadia University  
Loyalist College  
Seneca College  
TBayTel  
  
*Mexico*  
Universidad Nacional Autonoma de Mexico  
  
*USA*  
Frontier Communications  
Cox Communications  
Avon Old Farms School  
University of Pennsylvania  
Princeton University  
City of Glenwood Springs, Electric Department  
University of California, Santa Cruz  
City of Thomasville Utilities  
Comcast Cable  
Verizon Wireless  
City Of Hartford  
AT&T Internet Services  
CNS-Internet  
Comcast Business Communications  
AT&T U-verse  
  
*Vulnerabilities *  
  
*HTTP Web Management portal *  
  
Provides stats for Monitor Energy, Revenue, Peak Demand, Voltage  
Disturbances.  
  
*No access control* a by default no Authentication is configured, to access  
deviceas web management portal.  
  
An unauthorized user can access the device management portal and make  
config changes. This can further be exploited easily at a mass scale, with  
scripting, and submitting device configuration changes via a specific POST  
request.  
  
I suspect it may also be possible to cause denial of service to these  
devices, as well as additional devices - which directly or indirectly  
accept / send data to/from these meters - by submitting varying amounts of  
invalid / junk data.  
  
*Vulnerable to Cross-Site Request Forgery *  
  
There is no CSRF Token generated per page and / or per (sensitive)  
function. Successful exploitation of this vulnerability can allow silent  
execution of unauthorized actions on the device such as configuration  
parameter changes, and saving modified configuration.  
  
Successful exploitation of these vulnerabilities allow silent execution of  
unauthorized actions on the device specifically modifying parameter  
configurations a voltage modes, polarity, voltage units, current units,  
interval values -, and submitting configuration changes to meter.  
  
*Front Panel security (Physical) *  
  
*Weak Credential Management* a Default meter password is factory-set to  
00000 a mandatory default password change is not enforced.  
  
Front panel meter security lets you configure the meter through the front  
panel using a meter password.  
  
Front panel meter security is enabled by default on all ION7300 series  
meters; all configuration functions in the front panel are  
passwordaprotected.  
  
The password is factoryaset to 0 (zero).  
  
*Telnet *  
  
  
*Weak Credentials Management *  
- *Default accounts* - different models come with corresponding login creds  
- documented in the powerlogic admin guide -  
http://www.powerlogic.com/literature/70072-0102-05.pdf  
- Application does not enforce a mandatory default password change  
  
For example, for ION7300, default creds are:  
User - 7300  
Password a 0 (<a zero)  
  
+++++  
  
  
`