Schneider: More Patches for Module Hole

Wednesday, January 18, 2012 @ 06:01 PM gHale


Schneider Electric created a patch for a portion of the reported vulnerabilities in the hard-coded credentials in the Schneider Electric Quantum Ethernet Module. The credentials publicized grant access to the Telnet port, Windriver Debug port, and the FTP service.

Schneider Electric is continuing to develop additional updates for the remaining reported vulnerabilities. Independent security researcher Rubén Santamarta first reported the vulnerabilities in December.

RELATED STORIES
Certec DoS Hole Patched
Rockwell FactoryTalk Vulnerability
Rockwell Adds More Platform Patches
Patch for Cogent DataHub Holes
OAS HMI Holes Fixed
Snort to Boost SCADA Security

The following are the affected products and versions:
Quantum
140NOE77101 Firmware V4.9 and all previous versions.
140NOE77111 Firmware V5.0 and all previous versions.
140NOE77100 Firmware V3.4 and all previous versions.
140NOE77110 Firmware V3.3 and all previous versions.
140CPU65150 Firmware V3.5 and all previous versions.
140CPU65160 Firmware V3.5 and all previous versions.
140CPU65260 Firmware V3.5 and all previous versions.
140NOC77100 Firmware V1.01 and all previous versions.
140NOC77101 Firmware V1.01 and all previous versions.
Any available conformal-coated versions of the above part numbers.
Premium
TSXETY4103 Firmware V5.0 and all previous versions.
TSXETY5103 Firmware V5.0 and all previous versions.
TSXP571634M Firmware V4.9 and all previous versions.
TSXP572634M Firmware V4.9 and all previous versions.
TSXP573634M Firmware V4.9 and all previous versions.
TSXP574634M Firmware V3.5 and all previous versions.
TSXP575634M Firmware V3.5 and all previous versions.
TSXP576634M Firmware V3.5 and all previous versions.
TSXETC101 Firmware V1.01 and all previous versions.
Any available conformal-coated versions of the above part numbers.
M340
BMXNOE0100 Firmware V2.3 and all previous versions.
BMXNOE0110 Firmware V4.65 and all previous versions.
BMXNOC0401 Firmware V1.01 and all previous versions.

The issue also affects the following products via the FTP Service vulnerabilities only (not affected by Telnet or Windriver Debug vulnerabilities):
STBNIC2212 Firmware V2.10 and all previous versions.
STBNIP2311 Firmware V3.01 and all previous versions.
STBNIP2212 Firmware V2.73 and all previous versions.

BMXP342020 Firmware V2.2 and all previous versions.
BMXP342030 Firmware V2.2 and all previous versions.

Successful exploitation of these vulnerabilities could allow an attacker to gain elevated privileges, to load a modified firmware, or to perform other malicious activities on the system.

Schneider Electric is a manufacturer and integrator of energy management and industrial automation systems, equipment, and software. The affected Schneider Electric systems are primarily in energy, manufacturing, and infrastructure applications. Schneider Electric reports operations in over 100 countries worldwide.

Santamarta’s report revealed multiple hard-coded credentials that enable access to the following services:
• Telnet port—May allow remote attackers the ability to view the operation of the module’s firmware, cause a denial of service, modify the memory of the module, and execute arbitrary code.
• Windriver Debug port—Used for development; may allow remote attackers to view the operation of the module’s firmware, cause a denial of service, modify the memory of the module, and execute arbitrary code.
• FTP service—May allow an attacker to modify the module website, download and run custom firmware, and modify the HTTP passwords.

CVE-2011-4859 is the number assigned to this vulnerability group. The vulnerability has a CVSS V2 base score of 10. These vulnerabilities are remotely exploitable and there are public exploits targeting these vulnerabilities.

Schneider’s fix for the Telnet and Windriver debug port vulnerabilities for the BMXNOE0100 and 140NOE77101 modules will be up on the Schneider website.

This patch will not affect the capacities/functionalities of the product or impact the performance of installations because the Telnet and Windriver debug services are only for advanced troubleshooting use and are not for customer use, Schneider Electric officials said.

In addition, Schneider Electric provided the following patches on their website:
140NOE77101 Exec V5.01 for Unity Users

140NOE77111 Exec V5.11

BMXNOE0100 Exec V2.50 – M340 Ethernet Module

BMXNOE0110 Exec v5.3 – M340 Ethernet Module



Leave a Reply

You must be logged in to post a comment.