ICS Vendor Fixes Hard-Coded Credential Bugs Nearly Two Years After Advisory

Nearly two years after a security researcher published details of the hard-coded credentials that ship with a slew of industrial control system products made by Schneider Electric, the company has released updated firmware that fix the problems.

The vulnerabilities, which were discovered by researcher Ruben Santamarta and published in December 2011, affect dozens of products from Schneider Electric that include the company’s Quantum Ethernet Module. Santamarta found that several services on the modules had hard-coded credentials that enable a remote attacker to log in to the Telnet, Windriver Debug and FTP services. The credentials for those services are public now.

“Schneider Electric has created firmware upgrades that resolve the Telnet and Windriver debug port vulnerabilities for all affected products by removing the Telnet and Windriver services from these modules. According to Schneider Electric, removing these services will not affect the capacities/functionalities of the product or impact the performance of customer installations. Telnet and Windriver debug services were installed only for advanced troubleshooting use and were never intended for customer use,” an advisory published by the ICS-CERT said.

“Schneider has also released a firmware upgrade to address the FTP service vulnerability referenced above. It is available on selected Quantum programmable logic controller modules. This upgrade includes a new feature that allows the user to enable or disable both the FTP and HTTP services on the modules. Disabling these services will mitigate the vulnerability mentioned above.”

Santamarta has found similar issues with hard-coded credentials in other ICS and SCADA systems, including some from TURCK, a German manufacturer. In June, Schneider had released firmware that fixed the vulnerabilities in some of its other products.

Image from Flickr photos of Marc Falardeau.  


Suggested articles