PN1059 | Vulnerabilities Discovered in PowerMonitor 1000 Monitor

Introduction

Description

Version 1.2 – August 26, 2019
Version 1.1 – February 28, 2019
Version 1.0 – February 13, 2019

Rockwell Automation® Product Security Incident Response Team ("RA PSIRT") was made aware of two vulnerabilities logged in the National Vulnerability Database ("NVD") regarding the Allen-Bradley PowerMonitor™ 1000 monitors. The public disclosure includes details which can allow for potential reproduction and exploitation of these vulnerabilities.

PowerMonitor products are energy metering devices that integrate with existing energy monitoring systems to provide load profiling, cost allocation, and/or energy control information for customers’ systems.

UPDATE v1.2 - Rockwell Automation has released a remediation that addresses both vulnerabilities. Please see the Risk Mitigations and Recommended User Actions section for additional details.

Customers using this product are encouraged to evaluate their risk and apply the appropriate mitigations provided below to their deployed products. Additional security guidelines are provided in the Risk Mitigations and Recommended User Actions sections below.

AFFECTED PRODUCTS

• PowerMonitor 1000 Monitors, All Versions prior to v4.019.

VULNERABILITY DETAILS

Vulnerability #1: Cross-Site Scripting

A vulnerability in the web application of the affected device could allow a remote, unauthenticated threat actor to inject arbitrary code into a targeted user’s web browser. The impact to the user is highly dependent on both the content of the exploit developed by the threat actor as well as the mitigations that the user may already employ in their system. The target of this type of attack is not the device itself; instead, it is used as a vehicle to deliver an attack to the web browser.

CVE-2018-19615 has been assigned to this vulnerability. Rockwell Automation evaluated the vulnerability using the Common Vulnerability Scoring System ("CVSS") v3.0. A CVSS v3 base score of 7.4/10 has been assigned. For a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:H.

Vulnerability #2: Authentication Bypass

A vulnerability in the web application of the affected device could allow a remote, unauthenticated threat actor to use a proxy to enable certain functionality that is typically available to those with administrative rights for the web application. Upon successful exploitation, a threat actor could potentially disrupt user settings and device configuration.

CVE-2018-19616 has been assigned to this vulnerability. Rockwell Automation evaluated the vulnerability using the Common Vulnerability Scoring System ("CVSS") v3.0. A CVSS v3 base score of 9.1/10 has been assigned. For a better understanding of how this score was generated, please follow this link with the CVSS v3 vector string: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H.

RISK MITIGATIONS and RECOMMENDED USER ACTIONS

Customers are encouraged to assess their level of risk with respect to their specific applications and implement appropriate mitigations as needed. RA PSIRT is monitoring the situation and will provide specific remediation information when available.

Customers are directed to the general risk mitigation strategies provided below, and are encouraged when possible, to employ multiple strategies simultaneously.

GENERAL SECURITY GUIDELINES

• Utilize proper network infrastructure controls, such as firewalls, to help ensure access for unauthorized sources are blocked.
• Run all software as User, not as an Administrator, to minimize the impact of malicious code on the infected system.
• Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.
• Use trusted software, software patches, anti-virus/anti-malware programs and interact only with trusted websites and attachments.
• Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet. For further information about the risks of unprotected Internet accessible control systems, please see Knowledgebase Article ID 494865.
• When remote access is required, use secure methods, such as virtual private networks ("VPNs"), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, at: 54102 - Industrial Security Advisory Index.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions website.

If you have questions regarding this notice, please send an email to our product security inbox at: secure@ra.rockwell.com.

ADDITIONAL LINKS

• 54102 - Industrial Security Advisory Index
• Industrial Firewalls within a CPwE Architecture
• Deploying Industrial Firewalls within a CPwE Architecture Design and Implementation Guide
• [ICS-CERT/NCCIC] ICSA-19-050-04 Rockwell Automation Allen-Bradley Power Monitor 1000

REVISION HISTORY

KCS Status