Holes in Schneider Ethernet Module

Tuesday, December 13, 2011 @ 01:12 PM gHale


There are multiple vulnerabilities affecting the Schneider Electric Quantum Ethernet Module.

ICS-CERT is coordinating mitigations with Schneider Electric and the researcher that found the vulnerabilities, Rubén Santamarta.

RELATED STORIES
More Holes in CoDeSys Line
PcVue Works to Patch Vulnerabilities
New Release for Vulnerable SCADA
Hike in Public Release of SCADA Holes

Schneider created a fix for two of the reported vulnerabilities and is continuing to develop additional mitigations.

Multiple hardcoded credentials are in Santamarta’s report that enable access to the following services:

Telnet port — May allow remote attackers the ability to view the operation of the module’s firmware, cause a denial of service, modify the memory of the module, and execute arbitrary code.
Windriver Debug port — Used for development; may allow remote attackers to view the operation of the module’s firmware, cause a denial of service, modify the memory of the module, and execute arbitrary code.
FTP service — May allow an attacker to modify the module website, download and run custom firmware, and modify the http passwords.

ICS-CERT is currently coordinating with Schneider Electric to develop mitigations. ICS-CERT will release additional information regarding the impact and mitigations when it is available.

AFFECTED PRODUCTS
Quantum
140NOE77101 Firmware Version 4.9 and all previous versions.
140NOE77111 Firmware Version 5.0 and all previous versions.
140NOE77100 Firmware Version V3.4 and all previous versions.
140NOE77110 Firmware Version V3.3 and all previous versions.
140CPU65150 Firmware Version V3.5 and all previous versions.
140CPU65160 Firmware Version V3.5 and all previous versions.
140CPU65260 Firmware Version V3.5 and all previous versions.
Premium
TSXETY4103 Firmware Version V5.0 and all previous versions.
TSXETY5103 Firmware Version V5.0 and all previous versions.
TSXP571634M Firmware Version V4.9 and all previous versions.
TSXP572634M Firmware Version V4.9 and all previous versions.
TSXP573634M Firmware Version V4.9 and all previous versions.
TSXP574634M Firmware Version V3.5 and all previous versions.
TSXP575634M Firmware Version V3.5 and all previous versions.
TSXP576634M Firmware Version V3.5 and all previous versions.
M340
BMXNOE0100 Firmware Version V2.3 and all previous versions.
BMXNOE0110 Firmware Version V4.65 and all previous versions.
BMXP342020 Firmware Version V2.2 and all previous versions.
BMXP342030 Firmware Version V2.2 and all previous versions.
STB DIO
STBNIC2212 Firmware Version V2.10 and all previous versions.
STBNIP2311 Firmware Version V3.01 and all previous versions.
STBNIP2212 Firmware Version V2.73 and all previous versions.

Schneider’s fix for the Telnet and Windriver debug port vulnerabilities for the BMXNOE0100 and 140NOE77101 modules will be up on the Schneider website.

This fix removes the Telnet and Windriver services from the modules. Organizations need to evaluate the impact of removing these services prior to applying this fix.



Leave a Reply

You must be logged in to post a comment.