Rockwell Automation Allen-Bradley PowerMonitor 1000 (Update A)

Act Now9.8ICS-CERT ICSA-19-050-04Feb 19, 2019

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Two vulnerabilities in the PowerMonitor 1000 allow remote attackers to affect confidentiality, integrity, and availability. The vulnerabilities are related to cross-site scripting (CWE-79) and insufficient authentication (CWE-288) in the web interface and FTP access. No authentication is required, and the attack can be initiated from the network without user interaction.

What this means

What could happen

An attacker with network access to the PowerMonitor 1000 could retrieve sensitive data, modify device configuration or operation, or cause the device to stop functioning. This could disrupt power monitoring, demand response, or billing accuracy in an electrical distribution system.

Who's at risk

Electric utilities and energy facilities using Rockwell Automation PowerMonitor 1000 devices for power distribution monitoring and metering. Any organization relying on these devices for demand response, power factor correction monitoring, or electrical billing.

How it could be exploited

An attacker on the network can send a malicious HTTP request to the web interface or connect via FTP without credentials to exploit the vulnerabilities. No user interaction or authentication is required.

Prerequisites

Network access to the PowerMonitor 1000 device on port 80 (HTTP) or port 21 (FTP)
No credentials required

remotely exploitableno authentication requiredlow complexityhigh CVSS score (9.8)affects power monitoring operations

Exploitability

Moderate exploit probability (EPSS 2.6%)

Affected products (1)

ProductAffected VersionsFix Status

PowerMonitor 1000: all versionsAll versionsFRN 4.019

Remediation & Mitigation

0/5

Do now

0/3

WORKAROUNDDisable FTP port using LCD configuration menu or configuration options

WORKAROUNDDisable web interface access using LCD screen configuration menu or configuration options

HARDENINGRestrict network access to PowerMonitor 1000 to authorized sources only via firewall rules

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXApply firmware update FRN 4.019 from Rockwell Automation

Long-term hardening

0/1

HARDENINGIsolate PowerMonitor 1000 and other power monitoring devices behind a firewall and away from the business network

CVEs (2)

CVE-2018-19615 CVE-2018-19616

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/04da7b63-d505-42c1-86d9-4e56a5b9ca70