BINOM3 Electric Power Quality Meter Vulnerabilities

All information products included in http://ics-cert.us-cert.gov are provided “as is” for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see http://www.us-cert.gov/tlp/.


SUMMARY

NCCIC/ICS-CERT is aware of a public report by Karn Ganeshen of vulnerabilities affecting the BINOM3 Electric Power Quality Meter, a meter designed for autonomous operation in automated systems. According to this report, the vulnerabilities are remotely exploitable. This report was released after the researcher coordinated with ICS-CERT. ICS-CERT has attempted to notify the affected vendor of the report without success. ICS-CERT is issuing this alert to provide early notice of the report and identify baseline mitigations for reducing risks to these and other cybersecurity attacks.

The report included vulnerability details for the following vulnerabilities:

Vulnerability Type Remotely Exploitable Impact
Reflected and stored
Cross-site Scripting
Yes Injection of arbitrary Java Script
Clear Text Passwords Yes Privileged access to device
Sensitive iniformation
leakage in GET request
Yes Privileged access to device
Access Control Issues Yes Password authentication is not
enabled on Telnet Access

Please report any issues affecting control systems in critical infrastructure environments to ICS‑CERT.

BINOM3 Electric Power Quality Meter products are used in SCADA systems such as automated process control systems.

For details, please see the BINOM3 web site:

http://www.binom3.ru/

MITIGATION

ICS-CERT recommends users should:

  • Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
  • Locate control system networks and devices behind firewalls, and isolate them from the business network.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

ICS-CERT reminds organizations to perform proper impact analysis and risk assessment prior to taking defensive measures.

ICS-CERT also provides a control systems recommended practices page on the ICS-CERT web site. Several recommended practices are available for reading or download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Organizations that observe any suspected malicious activity should follow their established internal procedures and report their findings to ICS-CERT for tracking and correlation against other incidents.

Contact Information

For any questions related to this report, please contact ICS-CERT at:

Email: [email protected]
Toll Free: 1-877-776-7585
International Callers: (208) 526-0900

For industrial control systems security information and incident reporting: http://ics-cert.us-cert.gov

ICS-CERT continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product.

FENIKS PRO Elnet Energy Meter Vulnerabilities

SUMMARY

NCCIC/ICS-CERT is aware of a public report of authentication vulnerabilities with proof-of-concept (PoC) exploit code affecting FENIKS PRO Elnet LT Energy & Power analyzer. According to this report, attackers can manage the device remotely without authentication. This report was released after ICS-CERT failed to coordinate the vulnerabilities with FENIKS PRO. ICS-CERT has notified the affected vendor of the report and has asked the vendor to confirm the vulnerabilities and identify mitigations. ICS-CERT is issuing this alert to provide early notice of the report and identify baseline mitigations for reducing risks to these and other cybersecurity attacks.

The report included vulnerability details and PoC exploit code for the following vulnerability:

Vulnerability Type Remotely Exploitable Impact
Unauthenticated Web Management access Yes Possible Remote Code Execution

Please report any issues affecting control systems in critical infrastructure environments to ICS‑CERT.

ICS-CERT recommends that users of these devices (or any other control system device) change passwords from the default settings upon installation of the product.

Elnet LT is a power meter for electrical measurements and harmonics with RS485 communication.

MITIGATION

ICS-CERT is attempting to coordinate with the vendor and security researcher to identify mitigations.

ICS-CERT recommends, as quality assurance, that users test the update in a test development environment that reflects their production environment prior to installation. In addition, users should:

  • Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
  • Locate control system networks and devices behind firewalls, and isolate them from the business network.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

ICS-CERT reminds organizations to perform proper impact analysis and risk assessment prior to taking defensive measures.

ICS-CERT also provides a control systems recommended practices page on the ICS-CERT web site. Several recommended practices are available for reading or download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Organizations that observe any suspected malicious activity should follow their established internal procedures and report their findings to ICS-CERT for tracking and correlation against other incidents.

Schneider Electric ION Power Meter CSRF Vulnerability

SUMMARY

NCCIC/ICS-CERT is aware of a public report of a cross site request forgery (CSRF) vulnerability with proof-of-concept (PoC) exploit code affecting Schneider Electric’s ION Power Meter products. According to this report, exploitation of this vulnerability can allow unauthorized actions on the device, such as configuration parameter changes and saving modified configuration. This report was released while ICS-CERT was working with Schneider Electric to mitigate the vulnerability. Schneider Electric reports that the vulnerability affects the following products: ION 73xx, ION 75xx, ION 76xx, ION 8650, ION 8800, and PM5xxx. Schneider Electric has identified mitigations for this and other issues and will notify their customers. ICS-CERT is issuing this alert to provide early notice of the report and identify baseline mitigations for reducing risks to these and other cybersecurity attacks.

The report included vulnerability details and PoC exploit code for the following vulnerability:

Vulnerability Type Remotely Exploitable Impact
CSRF Yes Possible unauthorized configuration changes

ION Power Meter products are used in energy management applications such as feeder monitoring and sub-metering. They interface with power monitoring software or other energy management or automations systems for real-time information for monitoring and analysis.

Schneider Electric also acknowledges that these devices do not force a change of password upon installation of the device. This is not a vulnerability but a deployment issue. ICS-CERT and Schneider Electric recommend that users of these devices (or any other control system device) change passwords from the default settings upon installation of the product. Documentation on security configuration and device password management is available at the following link:

http://www.schneider-electric.us/en/download/document/70012-0260-00/

For further information on vulnerabilities in Schneider Electric’s products, please visit Schneider Electric’s cybersecurity web page at:

http://www2.schneider-electric.com/sites/corporate/en/support/cybersecurity/cybersecurity.page

FOLLOW-UP

ICS-CERT released the follow-up advisory titled ICSA-16-308-03 Schneider Electric IONXXXX Series Power Meter Vulnerabilities on November 3, 2016, on the ICS-CERT web site.

MITIGATION

Schneider Electric offers the following mitigation advice:

  • Configuration parameter changes, as well as saving modified configuration can be prevented for a meter by setting the “Webserver Config Access” register to “Disabled.” This register determines whether you can configure your meter through a browser. Valid entries are Enable or Disable. This register is set to Enable by default.
  • There is also an “Enable Webserver” register. This register enables or disables the webserver entirely. Values for this register are YES and NO. The webserver is enabled by default (the value is set to YES).
  • Some power meters may be revenue locked, which further protects unauthorized meter configuration parameter changes, except Owner, Tag1 and Tag2 string registers.

ICS-CERT recommends, as quality assurance, that users test the update in a test development environment that reflects their production environment prior to installation. In addition, users should:

  • Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
  • Locate control system networks and devices behind firewalls, and isolate them from the business network.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

ICS-CERT reminds organizations to perform proper impact analysis and risk assessment prior to taking defensive measures.

ICS-CERT also provides a control systems recommended practices page on the ICS-CERT web site. Several recommended practices are available for reading or download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Organizations that observe any suspected malicious activity should follow their established internal procedures and report their findings to ICS-CERT for tracking and correlation against other incidents.

TA16-250A: The Increasing Threat to Network Infrastructure Devices and Recommended Mitigations

Network infrastructure consists of interconnected devices designed to transport communications needed for data, applications, services, and multi-media. Routers and firewalls are the focus of this alert; however, many other devices exist in the network, such as switches, load-balancers, intrusion detection systems, etc. Perimeter devices, such as firewalls and intrusion detection systems, have been the traditional technologies used to secure the network, but as threats change, so must security strategies. Organizations can no longer rely on perimeter devices to protect the network from cyber intrusions; organizations must also be able to contain the impact/losses within the internal network and infrastructure.

For several years now, vulnerable network devices have been the attack-vector of choice and one of the most effective techniques for sophisticated hackers and advanced threat actors. In this environment, there has never been a greater need to improve network infrastructure security. Unlike hosts that receive significant administrative security attention and for which security tools such as anti-malware exist, network devices are often working in the background with little oversight—until network connectivity is broken or diminished. Malicious cyber actors take advantage of this fact and often target network devices. Once on the device, they can remain there undetected for long periods. After an incident, where administrators and security professionals perform forensic analysis and recover control, a malicious cyber actor with persistent access on network devices can reattack the recently cleaned hosts. For this reason, administrators need to ensure proper configuration and control of network devices.

Proliferation of Threats to Information Systems

SYNful Knock

In September 2015, an attack known as SYNful Knock was disclosed. SYNful Knock silently changes a router’s operating system image, thus allowing attackers to gain a foothold on a victim’s network. The malware can be customized and updated once embedded. When the modified malicious image is uploaded, it provides a backdoor into the victim’s network. Using a crafted TCP SYN packet, a communication channel is established between the compromised device and the malicious command and control (C2) server. The impact of this infection to a network or device is severe and most likely indicates that there may be additional backdoors or compromised devices on the network. This foothold gives an attacker the ability to maneuver and infect other hosts and access sensitive data.

The initial infection vector does not leverage a zero-day vulnerability. Attackers either use the default credentials to log into the device or obtain weak credentials from other insecure devices or communications. The implant resides within a modified IOS image and, when loaded, maintains its persistence in the environment, even after a system reboot. Any further modules loaded by the attacker will only exist in the router’s volatile memory and will not be available for use after the device reboots. However, these devices are rarely or never rebooted.

To prevent the size of the image from changing, the malware overwrites several legitimate IOS functions with its own executable code. The attacker examines the functionality of the router and determines functions that can be overwritten without causing issues on the router. Thus, the overwritten functions will vary upon deployment.

The attacker can utilize the secret backdoor password in three different authentication scenarios. In these scenarios the implant first checks to see if the user input is the backdoor password. If so, access is granted. Otherwise, the implanted code will forward the credentials for normal verification of potentially valid credentials. This generally raises the least amount of suspicion. Cisco has provided an alert on this attack vector. For more information, see the Cisco SYNful Knock Security Advisory.

Other attacks against network infrastructure devices have also been reported, including more complicated persistent malware that silently changes the firmware on the device that is used to load the operating system so that the malware can inject code into the running operating system. For more information, please see Cisco’s description of the evolution of attacks on Cisco IOS devices.

Cisco Adaptive Security Appliance (ASA)

A Cisco ASA device is a network device that provides firewall and Virtual Private Network (VPN) functionality. These devices are often deployed at the edge of a network to protect a site’s network infrastructure, and to give remote users access to protected local resources.

In June 2016, NCCIC received several reports of compromised Cisco ASA devices that were modified in an unauthorized way. The ASA devices directed users to a location where malicious actors tried to socially engineer the users into divulging their credentials.

It is suspected that malicious actors leveraged CVE-2014-3393 to inject malicious code into the affected devices. The malicious actor would then be able to modify the contents of the Random Access Memory Filing System (RAMFS) cache file system and inject the malicious code into the appliance’s configuration. Refer to the Cisco Security Advisory Multiple Vulnerabilities in Cisco ASA Software for more information and for remediation details.

In August 2016, a group known as “Shadow Brokers” publicly released a large number of files, including exploitation tools for both old and newly exposed vulnerabilities. Cisco ASA devices were found to be vulnerable to the released exploit code. In response, Cisco released an update to address a newly disclosed Cisco ASA Simple Network Management Protocol (SNMP) remote code execution vulnerability (CVE-2016-6366). In addition, one exploit tool targeted a previously patched Cisco vulnerability (CVE-2016-6367). Although Cisco provided patches to fix this Cisco ASA command-line interface (CLI) remote code execution vulnerability in 2011, devices that remain unpatched are still vulnerable to the described attack. Attackers may target vulnerabilities for months or even years after patches become available.