Critical vulnerabilities in Rockwell Automation PowerMonitor 1000 enable remote takeover

Researchers at Claroty are warning about multiple critical security vulnerabilities in Rockwell Automation PowerMonitor 1000 Remote devices that could allow attackers to completely compromise industrial power monitoring systems. 

The PowerMonitor 1000 is used for measuring electrical parameters such as voltage, current, power factor, frequency, and energy consumption. It helps businesses optimize energy use, improve efficiency, and detect anomalies before they cause costly failures. 

Vulnerability summary

• CVE-2024-12371 (CVSS score 9.8) - Unprotected Alternate Channel: allows configuration of a new Policyholder user without any authentication via API. The Policyholder user is the most privileged user that can perform edit operations, create admin users, and perform factory reset. This flaw exploits a logic error in how the device handles its initial setup page, allowing attackers to trigger a "first-run" setup process to create new administrative accounts even on already-configured systems.
• CVE-2024-12372 (CVSS score 9.8) - Heap-based Buffer Overflow: A denial-of-service and possible remote code execution vulnerability that results in the corruption of the heap memory, potentially allowing for remote code execution or a denial-of-service attack. It stems from insufficient bounds checking in the digest authentication process, where attackers can send malicious HTTP requests with excessively long uniform resource identifiers during login attempts.
• CVE-2024-12373 (CVSS score 9.8) - Classic Buffer Overflow vulnerability: A denial-of-service vulnerability that results in a buffer overflow, potentially causing denial-of-service condition. It occurs due to insufficient validation of web-based configuration requests, allowing attackers to send requests with excessive parameters that overflow memory buffers and potentially overwrite authentication flags.

Rockwell Automation reports that the following versions of PowerMonitor 1000 Remote are affected: all PM1k models (1408-BC3A-485, 1408-BC3A-ENT, 1408-TS3A-485, 1408-TS3A-ENT, 1408-EM3A-485, 1408-EM3A-ENT, 1408-TR1A-485, 1408-TR2A-485, 1408-EM1A-485, 1408-EM2A-485, 1408-TR1A-ENT, 1408-TR2A-ENT, 1408-EM1A-ENT, 1408-EM2A-ENT) running versions prior to firmware revision 4.020 R

Organizations can determine their current firmware version by executing the command cat /opt/gitlab/embedded/service/gitlab-rails/VERSION on their PowerMonitor systems.

Rockwell Automation has fixed the flaws in firmware revision 4.020 and recommends users upgrade to the latest version available.

For organizations unable to immediately upgrade, Rockwell Automation encourages users to apply security best practices, including minimizing network exposure for all control system devices and ensuring they are not accessible from the internet, locating control system networks and remote devices behind firewalls and isolating them from business networks, and using secure methods such as virtual private networks (VPNs) when remote access is required.