PM8000 - Perceived security flaws and general security

Rich_Lannaghan · ‎2018-10-15

We have a client who has done a vulnerability scan on the network where we have a few devices connected to their network (specification was for an integrated building network) the one device that's causing issues for us is the PM8000 and they are classing the below from their reports as flaws or vulerabilities,

Vulnerability in bold, suggested remidiation in italics

1. IP Forwarding Enabled - "On Linux, you can disable IP forwarding by doing :
echo 0 > /proc/sys/net/ipv4/ip_forward
On Windows, set the key 'IPEnableRouter' to 0 under
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters
On Mac OS X, you can disable IP forwarding by executing the command :
sysctl -w net.inet.ip.forwarding=0
For other systems, check with your vendor."

2. Modbus/TCP Coil Access - Restrict access to the Modbus port (TCP/502) to authorized Modbus clients

3. Modbus/TCP Discrete Input Access - Restrict access to the Modbus port (TCP/502) to authorized Modbus clients.

4. Modbus/TCP Device Identification - Restrict access to the Modbus port (TCP/502) to authorized Modbus clients.

4. Web Application Potentially Vulnerable to Clickjacking - "Return the X-Frame-Options or Content-Security-Policy (with the 'frame-ancestors' directive) HTTP header with the page's response.This prevents the page's content from being rendered by another site when using the frame or iframe HTML tags."

5. Web Server Transmits Cleartext Credentials - Make sure that every sensitive form transmits content over HTTPS.

We have had discussions with them and highlighetd the fact that we can't run the commands they are suggesting, i also cant see a way of filtering the TCP requests to specific IP's

The webserver is easy enough to sort as i can just shut it down on the meter but the others are proving more of an issue, I have suggested that all these should be fixed by them using their firewalls and routed network but that's falling on deaf ears, all i get is "speak to the manufacturer and request a fix"

Any ideas or suggestions for a way to try and solve these issues or is there some settings hidden in the PM8000 that we can indeed use to sort the above ?

Cliff_Schubert · ‎2018-10-17

(*this comment and response was also posted in the EcoStruxure Power Monitoring Expert area - https://community.se.com/t5/EcoStruxure-Power-Monitoring/PM8000-Perceived-security-flaws-and-general...)

Hi Rich,

#1 IP forwarding is fixed in PM8000 firmware version 1.4.3
https://www.schneider-electric.com/en/download/document/PM8000_V001.004.003/

#2-4 - Modbus TCP can be configured to be disabled, read-only mode, and read-write mode. By default it is in read-only mode, set by the 'Allow Modbus Programming' option in the Security Options module.

Can you elaborate more on the end-users' concern with the available options?

#4 - Web page Clickjacking - noted and we are able to confirm the issue.

#5 - HTTPS support is part of the next PM8000 release, tentatively scheduled for early 2019. As you suggest, it can also be disabled if the user is not using that feature.

Thanks - Cliff

See Answer In Context

Cliff_Schubert · ‎2018-10-17

(*this comment and response was also posted in the EcoStruxure Power Monitoring Expert area - https://community.se.com/t5/EcoStruxure-Power-Monitoring/PM8000-Perceived-security-flaws-and-general...)

Hi Rich,

#1 IP forwarding is fixed in PM8000 firmware version 1.4.3
https://www.schneider-electric.com/en/download/document/PM8000_V001.004.003/

#2-4 - Modbus TCP can be configured to be disabled, read-only mode, and read-write mode. By default it is in read-only mode, set by the 'Allow Modbus Programming' option in the Security Options module.

Can you elaborate more on the end-users' concern with the available options?

#4 - Web page Clickjacking - noted and we are able to confirm the issue.

#5 - HTTPS support is part of the next PM8000 release, tentatively scheduled for early 2019. As you suggest, it can also be disabled if the user is not using that feature.

Thanks - Cliff