ICS-CERT: Schneider Quantum Ethernet Module Vulnerability

Friday, January 20, 2012

Headlines

69dafe8b58066478aea48f3d0f384820

This Advisory is a follow-up to the original ICS-CERT Alert titled “ICS-ALERT-11-346-01 - Schneider Quantum Ethernet Module Credentials” that was published December 12, 2011, on the ICS-CERT web page.

On December 12, 2011, independent security researcher Rubén Santamarta publicly announced information regarding hard-coded credentials in the Schneider Electric Quantum Ethernet Module.

The credentials publicized grant access to the Telnet port, Windriver Debug port, and the FTP service. Prior to publication, Mr. Santamarta coordinated these vulnerabilities with ICS-CERT.

ICS-CERT has coordinated with Schneider Electric, and they have produced a patch for a portion of the reported vulnerabilities. Schneider Electric is continuing to develop additional updates for the remaining reported vulnerabilities.

Additional information regarding mitigations will be issued as it becomes available.

The following products and versions are affected:

Quantum

  • 140NOE77101 Firmware V4.9 and all previous versions.
  • 140NOE77111 Firmware V5.0 and all previous versions.
  • 140NOE77100 Firmware V3.4 and all previous versions.
  • 140NOE77110 Firmware V3.3 and all previous versions.
  • 140CPU65150 Firmware V3.5 and all previous versions.
  • 140CPU65160 Firmware V3.5 and all previous versions.
  • 140CPU65260 Firmware V3.5 and all previous versions.
  • 140NOC77100 Firmware V1.01 and all previous versions.
  • 140NOC77101 Firmware V1.01 and all previous versions.
  • Any available conformal-coated versions of the above part numbers.

Premium

  • TSXETY4103 Firmware V5.0 and all previous versions.
  • TSXETY5103 Firmware V5.0 and all previous versions.
  • TSXP571634M Firmware V4.9 and all previous versions.
  • TSXP572634M Firmware V4.9 and all previous versions.
  • TSXP573634M Firmware V4.9 and all previous versions.
  • TSXP574634M Firmware V3.5 and all previous versions.
  • TSXP575634M Firmware V3.5 and all previous versions.
  • TSXP576634M Firmware V3.5 and all previous versions.
  • TSXETC101 Firmware V1.01 and all previous versions.
  • Any available conformal-coated versions of the above part numbers.

M340

  • BMXNOE0100 Firmware V2.3 and all previous versions.
  • BMXNOE0110 Firmware V4.65 and all previous versions.
  • BMXNOC0401 Firmware V1.01 and all previous versions.

The following products are affected by the FTP Service vulnerabilities only (not affected by Telnet or Windriver Debug vulnerabilities):

  • STBNIC2212 Firmware V2.10 and all previous versions.
  • STBNIP2311 Firmware V3.01 and all previous versions.
  • STBNIP2212 Firmware V2.73 and all previous versions.
  • BMXP342020 Firmware V2.2 and all previous versions.
  • BMXP342030 Firmware V2.2 and all previous versions.

IMPACT

Successful exploitation of these vulnerabilities may allow an attacker to gain elevated privileges, to load a modified firmware, or to perform other malicious activities on the system.

Impact to individual organizations depends on many factors that are unique to each organization. ICS-CERT recommends that organizations evaluate the impact of these vulnerabilities based on their operational environment, architecture, and product implementation.

BACKGROUND

Schneider Electric is a manufacturer and integrator of energy management and industrial automation systems, equipment, and software. The affected Schneider Electric systems are found primarily in energy, manufacturing, and infrastructure applications. Schneider Electric reports operations in over 100 countries worldwide.

VULNERABILITY OVERVIEW - HARD-CODED CREDENTIALS

Mr. Santamarta’s report revealed multiple hard-coded credentials that enable access to the following services:

  • Telnet port—May allow remote attackers the ability to view the operation of the module’s firmware, cause a denial of service, modify the memory of the module, and execute arbitrary code.
  • Windriver Debug port—Used for development; may allow remote attackers to view the operation of the module’s firmware, cause a denial of service, modify the memory of the module, and execute arbitrary code.
  • FTP service—May allow an attacker to modify the module website, download and run custom firmware, and modify the HTTP passwords.

CVE-2011-4859 has been assigned to this vulnerability group. A CVSS V2 base score of 10 has also been assigned.

EXPLOITABILITY

These vulnerabilities are remotely exploitable.

EXISTENCE OF EXPLOIT

Public exploits are known to target these vulnerabilities.

DIFFICULTY

An attacker with a low skill level could exploit these vulnerabilities.

MITIGATION

Schneider Electric has created a patch for the Telnet and Windriver debug port vulnerabilities for the BMXNOE01xb0 and 140NOE771x1 modules; the patch is posted on the Schneider Electric website: http://www.schneider-electric.com

This patch removes the Telnet and Windriver services from the modules. According to Schneider Electric, this patch will not affect the capacities/functionalities of the product or impact the performance of customer installations because the Telnet and Windriver debug services are installed only for advanced troubleshooting use and are not intended for customer use.

Organizations need to evaluate the impact of removing these services prior to applying this fix. ICS-CERT will provide additional information as mitigations become available for other identified vulnerabilities.

Schneider Electric has provided the following patches on their website:

140NOE77101 Exec V5.01 for Unity Users:

140NOE77111 Exec V5.11:

BMXNOE0100 Exec V2.50 - M340 Ethernet Module:

BMXNOE0110 Exec v5.3 - M340 Ethernet Module:

The full ICS-CERT advisory can be found here:

Source:  http://www.us-cert.gov/control_systems/pdf/ICSA-12-018-01.pdf

Possibly Related Articles:
19358
US-CERT
SCADA Vulnerabilities Exploits Headlines Firmware Advisory ICS ICS-CERT FTP Server Industrial Control Systems Rubén Santamarta Schneider Electric Quantum Ethernet Module Telnet Windriver
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.