Last night I missed the second Schneider control system security advisory published yesterday by ICS-CERT. It describes two vulnerabilities in their IONXXXX series power meters and it is a follow up to an earlier alert. The vulnerabilities were reported by Karn Ganeshen. Schneider has provided instructions to mitigate these vulnerabilities. There is no indication that Ganeshen has been provided an opportunity to verify the efficacy of the fix.
The two vulnerabilities identified in the advisory (the second was not identified in the original alert) are:
• Cross-site request forgery - CVE-2016-5809; and
• Improper access control - CVE-2016-5815
The ICS-CERT advisory does not address the three separate default password issues for the HTTP, Telnet and front panel access to the device though it was mentioned in passing in the earlier alert. These are specifically addressed in the Schneider Security Notification referenced in the advisory. That notification only addresses the default password issue (urging owners to change their device passwords from default values to prevent unauthorized access), but not either vulnerability addressed in this advisory.
ICS-CERT reports that a relatively unskilled attacker could remotely exploit the two covered vulnerabilities to make configuration changes on the device.
BTW: While ICS-CERT notes that there are no “known public exploits specifically target these vulnerabilities” (Karn’s disclosure did not provide a POC) it does not mention that Karn provided a partial list of organizations that are using the affected power meters.