Widespread Industrial Power Monitors Exposed to Remote Hacking Vulnerabilities

A widely utilized industrial power monitoring device has been found to have three significant vulnerabilities in its firmware that could enable cyber attackers to interfere with operations by either crashing the device remotely or executing unauthorized code.

Further Reading: Live Webinar | Virtual conference: Strategies for enhancing OT resilience with limited resources

The device in question, the Rockwell Automation PowerMonitor 1000 Remote, received firmware updates in December following the identification of these vulnerabilities by researchers at cybersecurity firm Claroty. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued warnings that these flaws are remotely exploitable with low complexity for attackers.

The PowerMonitor 1000 is commonly used in a variety of critical operational settings, ranging from grid capacity planning to managing power supply contracts. Claroty researchers emphasized in a recent blog post that even devices perceived as harmless, like power monitors, can be targeted by malicious actors.

All three identified vulnerabilities have been assigned a CVSS score of 9.8 by CISA, categorizing them as critical threats.

The first flaw, designated CVE-2024-12371, pertains to an authentication bypass due to a logic error in the device’s setup page. This flaw would allow an attacker to invoke a “first-run” configuration process, thereby creating a new administrative account even on devices that are already configured, granting unauthorized access without valid credentials.

The second vulnerability, tracked as CVE-2024-12373, is a buffer overflow resulting from inadequate checks on web-based configuration requests. An attacker could exploit this by submitting a request with an excessive number of parameters, enabling them to overwrite adjacent memory areas, thereby gaining privileged access or potentially executing harmful code.

The third vulnerability, identified as CVE-2024-12372, involves a heap buffer overflow in the digest authentication process. A malicious actor could exploit this by submitting an excessively long uniform resource identifier during login, leveraging unsafe memory functions such as sprintf, which lack bounds checks, allowing for the overwriting of critical memory structures.

Claroty successfully reverse-engineered the firmware available on the Rockwell Automation website to expose these vulnerabilities. The firmware operates on a real-time operating system grounded in Digi’s NET+OS and utilizes the Treck TCP/IP stack, a configuration not uncommon in embedded industrial systems, which complicates the detection of such vulnerabilities.

Rockwell Automation has released updated firmware, designated as revision 4.020, as of late last year. The company is urging users to promptly update the affected devices. Both Rockwell and CISA have released security advisories offering mitigation strategies and technical guidance.