(CVE-2016-4513) Schneider Electric PowerLogic PM8ECC XSS

Background

On the 4th August 2015, I discovered a cross-site scripting vulnerability in Schneider Electric’s PowerLogic 800 power meter, specifically in the embedded webserver on the PM8ECC add-on module.

After a lengthy nine (9) month disclosure period, Schneider Electric formally thanked me and released a firmware patch to fix the vulnerability, under security advisory SEVD-2016-132-01.

Selection_058

Homeland Security’s ICS-CERT team formally acknowledged the vulnerability on June 21st, and released a security advisory. CVE-2016-4513 has been assigned to this issue.

The Schneider Electric security advisory (SEVD-2016-132-01) can be found here.

Homeland Security’s ICS-CERT advisory (ICSA-16-173-02) can be found here.

Device info

Schneider Electrics PowerLogic Series 800 Power Meters offer measurement capabilities to monitor electrical installations in Commerical and Utility facilities. The PM800 power meter includes an RS485 Modbus communication port (ASCII and RTU), digital input, digital output, THD metering, and alarming.

Schneider_Electric-PM8ECC-image

The PM8ECC provides ethernet connectivity and webserver capabilities to the PM800. The embedded webserver provides real-time data views and easy communication setup through a standard web browser. This information can be viewed for other Modbus devices daisy-chained to the PM8ECC onboard RS-485 port.

According to Schneider Electric, PowerLogic PM8ECC is deployed in the Commercial Facilities sector, and Schneider Electric estimates that this product is used worldwide.

Vulnerability Summary

Product: PowerLogic PM8ECC
Version: Firmware version prior to Version 2.651
Vendor: Schneider Electric

A reflected Cross-Site Scripting (XSS) vulnerability was found in Schneider Electric’s PowerLogic PM800 Power Meter with the PM8ECC Ethernet Communications Card.

The PM8ECC has the ability to host custom HTML pages. One component of custom HTML pages are “Dynamic Components” that include special delimiters that allow the PM8ECC to dynamically retrieve MODBUS™ register data from the PM800 meter device. Part of this process is to parse POST requests to send back real time data to the web page. A reflected XSS vulnerability is present which allows an unauthenticated attacker to inject arbitrary JavaScript in a specially crafted URL request where the response containing user data is returned to the web browser without being made safe to display. (http:///Post__PL__Data?R=PL__alert(“XSS”) )

Disclosure Timeline

04 August 2015
– Cross-site Scripting vulnerability discovered. Further testing
commenced

21 August 2015
– Requested email from vendor via website for secure communications

25 August 2015
– Received email from vendor with security contact and PGP key

12 October 2015
– Emailed vendor full vulnerability details

October 2015 – May 2016
– Various requests to vendor for update
– Vendor responded to all requests with acceptable actions underway

11 May 2016
– Security notification released by Schneider Electric
– PM8ECC V2.651 Firmware released by Schneider Electric

21 June 2016
– Homeland Security Advisory (ICSA-16-173-02) released to public

Tested versions

This vulnerability was tested on the Schneider Electric PowerLogic PM810MG running firmware version 12.200 with PM8ECC running firmware version 2.400 (Hardware version C1)

Details

A vulnerability in the “R” variable in Post__PL__Data allows a remote unauthenticated attacker to inject arbitrary JavaScript which is executed by escaping from the quotation marks.

An attacker may exploit the reflected XSS vulnerability to cause a victim to execute the malicious JavaScript code within the user’s browser. The malicious code can perform arbitrary actions on the victim’s behalf.

The PM8ECC has the ability to host custom HTML pages. One component of custom HTML pages are “Dynamic Components” that include special delimiters that allow the PM8ECC to
dynamically retrieve MODBUS™ register data from the PM800 meter device. Part of this process is to parse POST requests to send back real time data to the web page. A reflected XSS vulnerability is present which allows an unauthenticated attacker to inject arbitrary JavaScript in a specially crafted URL request where the response containing user data is returned to the web browser without being made safe to display.

Overall CVSS Score: 6.1

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:F/RL:O/RC:C

Vulnerable URLs

http://target/Post__PL__Data?R=PL__alert(“XSS”)

XSS Proof-of-concept (POC)

The following proof-of-concept (POC) demonstrates the injection:

# Get request

# Reply

powermeter_pm800_xss