Vulnerabilities Discovered on Elvaco M-Bus Metering Gateway CMe3100

Executive Summary

Four vulnerabilities have been identified with Elvaco’s M-Bus Metering Gateway CMe3100. The vulnerabilities found could allow attackers to take control of admin accounts, execute code, or use commands without authentication. These vulnerabilities were reported to the Cybersecurity and Infrastructure Security Agency (CISA) by Tomer Goldschmidt of Claroty Research, and an advisory was put out on October 17, 2024.   Since then, Elvaco has not responded to any requests to mitigate these vulnerabilities. There may be a patch to address these issues released in the future, but until then affected users should use other mitigation techniques to avoid exploitation of vulnerabilities.

Background

Elvaco M-Bus Metering Gateway CMe3100 compiles metering data from up to 512 meters to generate reports which can be scheduled by the user. The device is also compatible with a variety of protocols including BACnet, ModBus, DLMS, JSON, and REST allowing integration with a variety of networks. The vulnerabilities found on the device include insufficiently protected credentials, improper neutralization of input during web page generation, unrestricted upload of files with dangerous types, and missing authentication for critical function .

Vulnerabilities

For insufficiently protected credentials the method which is used to store credentials is insecure allowing attackers to retrieve the credentials and impersonate a legitimate user. The improper neutralization of input during web page generation allows cross-site scripting to occur. When cross-site scripting occurs attackers can inject a malicious script into a webpage which would be executed when an unsuspecting victim visits the webpage. Attackers may also be allowed to execute code due to the unrestricted upload of files with dangerous types. Finally, the missing authentication for critical functions allows attackers to use commands on the device without properly authenticating. This would allow attackers to leak information about any connected meters without ever needing to steal credentials in the first place. Due to the exploitation of these vulnerabilities being relatively simple an attacker with little technical knowledge could potentially exploit these vulnerabilities especially if the device is connected to the internet and not properly secured.

Conclusion

Even though there are no patches yet to fix these vulnerabilities CISA recommends using some mitigation tactics to increase security and minimize the risk of exploitation. Although some mitigation techniques may not be possible to implement, it is important to use a defense in depth to reduce your attack surface as much as possible. Devices should not be accessible from the internet and when remote access is needed users should be required to use secure methods like VPN’s. Also, making sure to install firewalls between the control system network and the business network is important to keep critical systems protected.

References

Common Weakness Enumeration. (2024). CWE – CWE-306: Missing Authentication for Critical Function. Common Weakness Enumeration. https://cwe.mitre.org/data/definitions/306.html

Common Weakness Enumeration (2024). CWE-434: Unrestricted Upload of File with Dangerous Type. https://cwe.mitre.org/data/definitions/434.html

Common Weakness Enumeration (2024). CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’). https://cwe.mitre.org/data/definitions/79.html

Common Weakness Enumeration (2024). CWE-522: Insufficiently Protected Credentials. https://cwe.mitre.org/data/definitions/522.html

Cybersecurity & Infrastructure Security Agency. (2024). Elvaco M-Bus Metering Gateway CMe3100. Cybersecurity & Infrastructure Security Agency. https://www.cisa.gov/news-events/ics-advisories/icsa-24-291-01

Elvaco. (n.d.) CMe3100. Elvaco. https://www.elvaco.com/en/product/infrastructure/cme3100-m-bus-metering-gateway-for-fixed-network–CMe3100