By Tal Keren and Rei Henigman | March 9, 2021

Vulnerabilities reported in smart meters have put vendors and utilities on notice in the past about the risks posed by these security shortcomings. Not only can these flaws impact consumers who have these industrial internet-of-things (IIoT) devices installed in their homes, but also the utility companies that deploy these meters in order to accurately monitor and bill customers for their services.

Last year, Claroty researchers examined the security of Schneider Electric’s PowerLogic ION/PM smart meter product line and disclosed two vulnerabilities present in numerous flavors and versions of the product. Schneider Electric sells these meters to organizations in numerous industries beyond utility networks including, industrial companies, data centers, and healthcare. The company touts organizations’ ability to use these devices to improve reliability, minimize downtime, and analyze events to improve efficiency.

Schneider Electric PowerLogic (PM) ION8650

Schneider Electric PowerLogic (PM) ION8650

Schneider Electric had addressed these issues, and today published advisories explaining the vulnerabilities, and also provided remediations. Users are urged to update their devices.

Claroty’s Research

Claroty’s research into the ION/PM smart meter firmware uncovered a pre-authentication integer-overflow vulnerability that, depending on the specific generation, architecture, and version of the product, could allow an attacker to remotely execute code or reboot the meter, causing a denial-of-service condition on the device.

These smart meters communicate using a proprietary ION protocol over TCP port 7700, and packets received by the device are parsed by a state machine function. We found that It is possible to trigger the flaw during the packet-parsing process by the main state machine function by sending a crafted request. This can be done without authentication because the request is fully parsed before it is handled or authentication is checked.

We decided to focus on the flow that parses strings and arrays. The function that parses the incoming packet reads the number of items or characters in the string or array and the buffer, which is a fixed size. We can fully control the size of the buffer with a DWORD that is read from the request.

We discovered a bug in the function that is responsible for advancing the parsing buffer, we named this function advance_buffer. We found that the advance_buffer function always returns true, regardless of other inner functions failing and returning false. Therefore, providing any large packet size will always pass the advance_buffer function without triggering an error message or exception, see chart below.

Claroty researchers were able to bypass buffer checks and reach exploitation.

Claroty researchers were able to bypass buffer checks and reach exploitation.

The buffer is then allocated on the stack and the data is copied. The same integer-overflow bug also exists on the stack, and will return a valid address, and allocator->current will point to an invalid location.

While researching different ION/PM firmware, we discovered there are two different exploitation paths depending on the specific architecture. We reported these as two different vulnerabilities.

The Vulnerabilities

CWE-119 Improper Restriction of Operations Within a Memory Buffer
Schneider Electric Advisory

This vulnerability was assessed a CVSS score of 9.8, a critical integer overflow vulnerability that could enable an attacker to send a specially crafted TCP packet to the device to either cause it to reboot the meter or remotely run code of their choice, depending on the architecture of the targeted device.

Schneider Electric said the affected products include ION7400 (prior to V3.0.0), ION9000 (prior to V3.0.0), and PM8000 (prior to V3.0.0).

The vendor remediated the issue with the July 2020 release of V3.0.0 and users are encouraged to update.

CWE-119 Improper Restriction of Operations Within a Memory Buffer
Schneider Electric Advisory

The same vulnerability also exists in a number of versions of the PowerLogic ION line of meters, but was assessed a CVSS score of 7.5 because successful exploitation of the versions does not enable remote code execution, and enables only an attacker to force the meter to reboot.

The list of affected products is as follows:

  • ION8650 (prior to V4.40.1)
  • ION8800 (prior to V372)
  • ION7650 Hardware rev. 4 or earlier (prior to V376)
  • ION7650 Hardware rev. 5 (prior to V416)
  • ION7700/73xx (all versions)
  • ION83xx/84xx/8600 (all versions)

The vulnerability was addressed in updates released in January and March, and users are urged to move to the patched versions.

  • ION8650 users should update to V4.40.1, released on Jan. 4.
  • ION8800 users should update to V372, released on March 3.
  • ION7650 Hardware rev. 4 or earlier should update to V376, released on March 3.
  • ION7650 Hardware rev. 5 should update to V416, released on March 3.

Schneider Electric said that the ION7700/73xx and ION83xx/84xx/85xx/8600 products are no longer supported with updates and that users should upgrade to supported versions.