CVE-2024-5559
📋 TL;DR
This vulnerability involves the use of a broken cryptographic algorithm in Schneider Electric devices, allowing attackers to cause denial of service, force device reboots, or gain full control by entering specially crafted reset tokens via the front panel. It affects Schneider Electric relay devices with vulnerable firmware versions. Physical or network-accessible front panel access is required for exploitation.
💻 Affected Systems
- Schneider Electric SEPAM series relays
📦 What is this software?
Powerlogic P5 Firmware by Schneider Electric
⚠️ Risk & Real-World Impact
Worst Case
Attacker gains full administrative control of the relay device, potentially disrupting critical infrastructure operations or using the device as an entry point into industrial control networks.
Likely Case
Denial of service through device reboot, causing temporary disruption to industrial processes or protection systems.
If Mitigated
Minimal impact if physical access controls prevent unauthorized front panel access and network segmentation isolates devices.
🎯 Exploit Status
Exploitation requires crafting specific reset tokens using knowledge of the broken cryptographic algorithm, but no authentication is needed once physical or network access to the front panel is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check SEVD-2024-163-02 for specific patched firmware versions
Vendor Advisory: https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2024-163-02&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2024-163-02.pdf
Restart Required: Yes
Instructions:
1. Download the patched firmware from Schneider Electric's website.
2. Follow Schneider Electric's firmware update procedures for SEPAM relays.
3. Apply the firmware update to all affected devices.
4. Verify the update was successful and test device functionality.
🔧 Temporary Workarounds
Restrict Physical Access
allImplement strict physical security controls to prevent unauthorized access to device front panels.
Network Segmentation
allIsolate relay devices on dedicated industrial network segments with firewall rules blocking unnecessary access to front panel interfaces.
🧯 If You Can't Patch
- Implement strict physical access controls and surveillance for all relay devices.
- Monitor network traffic to front panel interfaces for anomalous reset attempts.
🔍 How to Verify
Check if Vulnerable:
Check device firmware version against the vulnerable versions listed in SEVD-2024-163-02 advisory.Check Version:
Use Schneider Electric's device management software or front panel display to check firmware version (specific command varies by device model).Verify Fix Applied:
Verify firmware version has been updated to a patched version listed in the advisory and test reset functionality.📡 Detection & Monitoring
Log Indicators:
- Multiple failed reset attempts via front panel
- Unexpected device reboots
- Front panel access from unauthorized locations
Network Indicators:
- Network traffic to front panel interface ports from unexpected sources
- Anomalous reset command patterns
SIEM Query:
Search for events containing 'reset token', 'front panel access', or device reboot events outside maintenance windows.