Schneider Electric PowerLogic HDPM6000 Improper Buffer Operation Vulnerability Allowing Unauthorized Configuration Modification

A vulnerability exists in the Schneider Electric PowerLogic HDPM6000 High-Density Metering System, specifically in versions through v0.62.7. This vulnerability, categorized as CWE-119, allows an unauthorized attacker to modify configuration values beyond the normal range. The issue arises when specific Modbus write packets are sent to the device, potentially leading to invalid data, corruption of the web interface, or a denial-of-service condition on the interface.

Impact

Exploitation of this vulnerability could result in unauthorized modification of configuration values, introduction of invalid data, corruption of the device's web interface, or a denial-of-service condition on the web interface.

Remediation

Users of the PowerLogic HDPM6000 should upgrade to version v0.62.11 or newer, which includes a fix for this vulnerability. If the upgrade is performed through the web user interface, a device restart will occur automatically. If using the HDPM6000 Manager software, the device will need to be restarted manually. For those who choose not to apply the update, it is recommended to ensure the device is not accessible via the Modbus protocol outside the local network segment, using appropriate firewall configurations and controls.