Six Major Flaws Identified in Schneider PowerLogic Devices

 

Earlier this month, Schneider Electric, a global supplier of energy and automation digital solutions published a security advisory for its customers stating the discovery of six major flaws in PowerLogic EGX100 and EGX300 communication gateways. Threat actors can exploit these security holes to access devices, launch denial-of-service (DoS) attacks, and for remote code execution. 

Security researchers have rated five of the security holes in the high severity category. They can be exploited for DoS attacks or remote code execution using specially designed HTTP products. The sixth flaw is related to the password recovery mechanism and it can be exploited to gain administrator-level access to a device. 

Jake Baines, a principal industrial control vulnerability analyst at industrial cybersecurity firm Dragos, assigned the flaws from CVE-2021-22763 to CVE-2021-22768. The flaws were identified in EGX devices, but Schneider has determined that two of the flaws also affect PowerLogic PM55xx power metering devices due to their sharing web server code. The affected devices are part of the company’s power monitoring and control offering, but they have reached the end of life.

“For example, CVE-2021-22763 is a backdoor account that gives full admin access to the device's web server. As long as the attacker can reach the server, and knows the device's ethernet address, they have full administration rights to the device. Although, this is largely only useful to an attacker to block access to the connected serial devices, so the true impact of the attack is dependent on the connected devices.CVE-2021-22764 is a similar situation. A remote and unauthenticated adversary can send HTTP requests that will cause the device to block access to the connected serial devices,” Baines said while explaining a few theoretical attack scenarios that attackers could use to exploit vulnerabilities.

“The more interesting, but more complicated are the vulnerabilities scored 9.8. These all allow an unauthenticated and remote attacker to run arbitrary code on the device. The vulnerabilities are stack-based buffer overflows, so writing a full exploit would take effort. While it's possible that could happen, it's unlikely that it actually has or ever will. However, the ability to run code on the device is interesting because it would allow the adversary to alter communication between the connected serial device and the monitoring/control systems,” he further described.

PowerLogic EGX100 and EGX300 devices have reached the end of life and are no longer useful. Users can either replace the products or execute mitigations recommended by the firm to minimize the risk of exploitation.