Schneider Patches Quantum Holes

Wednesday, June 5, 2013 @ 05:06 PM gHale


Schneider Electric created patches for the hard-coded credential vulnerabilities in the Quantum Ethernet Module, according to a report on ICS-CERT.

On December 12, 2011, independent security researcher Rubén Santamarta released information regarding hard-coded credential problems. The credentials publicized grant access to the Telnet port, Windriver Debug port, and the FTP service. Prior to publication, Santamarta coordinated these vulnerabilities with ICS CERT.

RELATED STORIES
Siemens SCALANCE Vulnerabilities
3S Fixes Gateway Bug
Mitsubishi ActiveX Vulnerability
TURCK Fixes Gateway Bugs

ICS-CERT has coordinated with Schneider Electric, and they have produced a patch for a portion of the remotely exploitable vulnerabilities.

The following products and versions suffer from the issues:
Quantum
• 140NOE77101 Firmware V4.9 and all previous versions.
• 140NOE77111 Firmware V5.0 and all previous versions.
• 140NOE77100 Firmware V3.4 and all previous versions.
• 140NOE77110 Firmware V3.3 and all previous versions.
• 140CPU65150 Firmware V3.5 and all previous versions.
• 140CPU65160 Firmware V3.5 and all previous versions.
• 140CPU65260 Firmware V3.5 and all previous versions.
• 140NOC77100 Firmware V1.01 and all previous versions.
• 140NOC77101 Firmware V1.01 and all previous versions.
Any available conformal-coated versions of the above part numbers.

Premium
• TSXETY4103 Firmware V5.0 and all previous versions.
• TSXETY5103 Firmware V5.0 and all previous versions.
• TSXP571634M Firmware V4.9 and all previous versions.
• TSXP572634M Firmware V4.9 and all previous versions.
• TSXP573634M Firmware V4.9 and all previous versions.
• TSXP574634M Firmware V3.5 and all previous versions.
• TSXP575634M Firmware V3.5 and all previous versions.
• TSXP576634M Firmware V3.5 and all previous versions.
• TSXETC101 Firmware V1.01 and all previous versions.
Any available conformal-coated versions of the above part numbers.

M340
• BMXNOE0100 Firmware V2.3 and all previous versions.
• BMXNOE0110 Firmware V4.65 and all previous versions.
• BMXNOC0401 Firmware V1.01 and all previous versions.

The following products suffer from the FTP Service vulnerabilities only (not affected by Telnet or Windriver Debug vulnerabilities):
• STBNIC2212 Firmware V2.10 and all previous versions.
• STBNIP2311 Firmware V3.01 and all previous versions.
• STBNIP2212 Firmware V2.73 and all previous versions.
• BMXP342020 Firmware V2.2 and all previous versions.
• BMXP342030 Firmware V2.2 and all previous versions.

Successful exploitation of these vulnerabilities may allow an attacker to gain elevated privileges, to load a modified firmware, or to perform other malicious activities on the system.

Schneider Electric is a manufacturer and integrator of energy management and industrial automation systems, equipment, and software. The affected Schneider Electric systems are primarily in energy, manufacturing, and infrastructure applications. Schneider Electric reports operations in over 100 countries worldwide.

There are multiple hard-coded credentials that enable access to the following services:
• Telnet port—May allow remote attackers the ability to view the operation of the module’s firmware, cause a denial of service, modify the memory of the module, and execute arbitrary code.
• Windriver Debug port—Used for development; may allow remote attackers to view the operation of the module’s firmware, cause a denial of service, modify the memory of the module, and execute arbitrary code.
• FTP service—May allow an attacker to modify the module website, download and run custom firmware, and modify the HTTP passwords.

CVE-2011-4859 is the number assigned to this vulnerability group, which has a CVSS V2 base score of 10.

Public exploits are targeting these vulnerabilities and an attacker with a low skill level could exploit these vulnerabilities.

Schneider Electric created a patch for the Telnet and Windriver debug port vulnerabilities for the BMXNOE01x0 and 140NOE771x1 modules. This patch removes the Telnet and Windriver services from the modules. According to Schneider Electric, this patch will not affect the capacities/functionalities of the product or impact the performance of customer installations because the Telnet and Windriver debug services are only for advanced troubleshooting use and are not for customer use. Schneider has also created a patch for the HTTP and FTP service that is available on selected Quantum PLC. This patch has a new feature that allows the user to disable the FTP service on modules. These patches are on the Schneider Electric Web site.

Schneider Electric has provided the following patches on their website:
BMXNOE0100 Exec V2.50 – M340 Ethernet Module

BMXNOE0110 Exec v5.3 – M340 Ethernet Module

140NOE77101 Firmware Version 06.00

140NOE77111 Firmware Version: 06.00



Leave a Reply

You must be logged in to post a comment.