Today the DHS ICS-CERT published two alerts for publicly disclosed vulnerabilities in control system products from Schneider and FENIKS Pro. It appears that these are based upon the disclosures from Karn Ganeshen that I described on Saturday. ICS-CERT did not identify the researcher doing the uncoordinated disclosure or the location of the public disclosure for either alert.
This alert describes a cross site request forgery (CSRF) vulnerability with proof-of-concept (PoC) exploit code affecting Schneider Electric’s ION Power Meter products.
Karn’s disclosure on the Full Disclosure site lists additional vulnerabilities that I briefly described Saturday. It appears that ICS-CERT either did not consider them to be actual vulnerabilities (as opposed to ‘features’) or that Schneider has not acknowledged the existence of the vulnerabilities that did not make it into the ICS-CERT alert.
ICS-CERT notes that it had already been working with Schneider on their response to the CSRF vulnerability. They also report Schneider has provided interim security mitigation measures that device owners can use.
FENIKS Pro Alert
This alert describes authentication vulnerabilities with proof-of-concept (PoC) exploit code affecting FENIKS PRO Elnet LT Energy & Power analyzer.
The remaining vulnerabilities described in Karn’s second disclosure on the Full Disclosure site are almost certainly considered features (default passwords) by ICS-CERT. Additionally, the lack of a documented password discovery process is not really (?) a security issue; it is just an interesting way to allow the owner to brick their own devices.
ICS-CERT has provided its initial disclosure to FENIKS and is waiting for confirmation of the vulnerabilities and reports of mitigation measures.