Schneider Continues Quantum Fixes

Monday, September 23, 2013 @ 07:09 PM gHale


Schneider Electric produced patches and firmware upgrades for the hard-coded credentials in its Quantum Ethernet Module, which publicized grant access to the Telnet port, Windriver Debug port, and the FTP service, according to a report on ICS-CERT.

Prior to publication, independent security researcher Rubén Santamarta coordinated these vulnerabilities with ICS CERT, which worked with the vendor to fix the vulnerabilities.

RELATED STORIES
Mitsubishi ActiveX Control Bug
WellinTech KingView Vulnerabilities
SUBNET Solutions Fixes Software Bug
Siemens SCALANCE X-200 Vulnerability

The following products and versions suffer from the issues:
Quantum
• 140NOE77101 Firmware V4.9 and all previous versions.
• 140NOE77111 Firmware V5.0 and all previous versions.
• 140NOE77100 Firmware V3.4 and all previous versions.
• 140NOE77110 Firmware V3.3 and all previous versions.
• 140CPU65150 Firmware V3.5 and all previous versions.
• 140CPU65160 Firmware V3.5 and all previous versions.
• 140CPU65260 Firmware V3.5 and all previous versions.
• 140NOC77100 Firmware V1.01 and all previous versions.
• 140NOC77101 Firmware V1.01 and all previous versions.
Any available conformal-coated versions of the above part numbers.

Premium
• TSXETY4103 Firmware V5.0 and all previous versions.
• TSXETY5103 Firmware V5.0 and all previous versions.
• TSXP571634M Firmware V4.9 and all previous versions.
• TSXP572634M Firmware V4.9 and all previous versions.
• TSXP573634M Firmware V4.9 and all previous versions.
• TSXP574634M Firmware V3.5 and all previous versions.
• TSXP575634M Firmware V3.5 and all previous versions.
• TSXP576634M Firmware V3.5 and all previous versions.
• TSXETC101 Firmware V1.01 and all previous versions.
Any available conformal-coated versions of the above part numbers.

M340
• BMXNOE0100 Firmware V2.3 and all previous versions.
• BMXNOE0110 Firmware V4.65 and all previous versions.
• BMXNOC0401 Firmware V1.01 and all previous versions.

The following products suffer from the FTP Service vulnerabilities only (not affected by Telnet or Windriver Debug vulnerabilities):
• STBNIC2212 Firmware V2.10 and all previous versions.
• STBNIP2311 Firmware V3.01 and all previous versions.
• STBNIP2212 Firmware V2.73 and all previous versions.
• BMXP342020 Firmware V2.2 and all previous versions.
• BMXP342030 Firmware V2.2 and all previous versions.

Successful exploitation of these vulnerabilities may allow an attacker to gain elevated privileges, to load a modified firmware, or to perform other malicious activities on the system.

Schneider Electric is a manufacturer and integrator of energy management and industrial automation systems, equipment, and software. The affected Schneider Electric systems are primarily in energy, manufacturing, and infrastructure applications. Schneider Electric reports operations in over 100 countries worldwide.

There are multiple hard-coded credentials that enable access to the following services:
• Telnet port—May allow remote attackers the ability to view the operation of the module’s firmware, cause a denial of service, modify the memory of the module, and execute arbitrary code.
• Windriver Debug port—Used for development; may allow remote attackers to view the operation of the module’s firmware, cause a denial of service, modify the memory of the module, and execute arbitrary code.
• FTP service—May allow an attacker to modify the module website, download and run custom firmware, and modify the HTTP passwords.

CVE-2011-4859 is the number assigned to this vulnerability group, which has a CVSS V2 base score of 10.

Public exploits are targeting these vulnerabilities and an attacker with a low skill level could exploit these vulnerabilities.

Schneider created firmware upgrades that resolve the Telnet and Windriver debug port vulnerabilities for all affected products by removing the Telnet and Windriver services from these modules. Removing these services will not affect the capacities/functionalities of the product or impact the performance of customer installations, Schneider said. Telnet and Windriver debug services ended up installed only for advanced troubleshooting use and were never really for customer use.
Schneider Electric has posted firmware upgrades on their Web site.

Users should ensure they are using the minimum versions referenced below:
Quantum
• 140NOE77101 Exec V5.01 or greater for Unity Users,
• 140NOE77111 Exec V5.11 or greater,
• 140NOE77101 Exec. V4.9 or greater for Concept Users,
• 140NOE77111 Exec. V5.5 or greater for Concept Users,
• 140CPU65150 Exec V3.8 or greater,
• 140CPU65160 Exec V3.8 or greater,
• 140CPU65260 Exec V3.8 or greater, and
• 140NOC77101 Exec V1.03 or greater.

Premium
• TSXETY4103 Exec V5.2 or greater,
• TSXETY5103 Exec V5.5 or greater,
• TSXP571634 Exec V5.2 or greater,
• TSXP572634 Exec V5.2 or greater,
• TSXP573634 Exec V5.2 or greater,
• TSXP574634 Exec V3.8 or greater,
• TSXP575634 Exec V3.8 or greater,
• TSXP576634 Exec V3.8 or greater, and
• TSXETC101 Exec V2.01 or greater.

M340
• BMXNOE0100 Exec V2.50 or greater,
• BMXNOE0110 Exec v5.3 or greater, and
• BMXNOC0401 Exec V2.01 or greater.

Schneider also released a firmware upgrade to address the FTP service vulnerability referenced above. It is available on selected Quantum programmable logic controller modules. This upgrade includes a new feature that allows the user to enable or disable both the FTP and HTTP services on the modules. Disabling these services will mitigate the vulnerability mentioned above.

The following products support the HTTP and FTP service enable and disable feature:
• 140NOE77101 Firmware Version 06.00 or greater, and
• 140NOE77111 Firmware Version: 06.00 or greater.



Leave a Reply

You must be logged in to post a comment.