More than 18 months after a security researcher revealed a long list of vulnerabilities in its SCADA products, Schneider Electric has released patches for a subset of those bugs for a couple of the affected products.
In December 2011, security researcher Rubén Santamarta disclosed a series of vulnerabilities in a long list of modules produced by Schneider Electric. The vulnerabilities all involved the existence of hard-coded credentials for various services in the Schneider Electric Quantum Ethernet Module. All of the vulnerabilities allow an attacker to remotely access the vulnerable services, which include Telnet, FTP and the Windriver Debug service.
On Tuesday, ICS-CERT, the group that helps coordinate advisories for ICS and SCADA security issues, published a revised bulletin about the vulnerabilities, saying that Schneider had released patches to address the vulnerabilities in a couple of the affected modules.
The details of the vulnerabilities are as follows:
- Telnet port—May allow remote attackers the ability to view the operation of the module’s firmware, cause a denial of service, modify the memory of the module, and execute arbitrary code.
- Windriver Debug port—Used for development; may allow remote attackers to view the operation of the module’s firmware, cause a denial of service, modify the memory of the module, and execute arbitrary code.
- FTP service—May allow an attacker to modify the module website, download and run custom firmware, and modify the HTTP passwords.
The fixes released by Schneider Electric address some of the vulnerabilities by removing the affected services from the modules.
“Schneider Electric has created a patch for the Telnet and Windriver debug port vulnerabilities for the BMXNOE01x0 and 140NOE771x1 modules. This patch removes the Telnet and Windriver services from the modules. According to Schneider Electric, this patch will not affect the capacities/functionalities of the product or impact the performance of customer installations because the Telnet and Windriver debug services are installed only for advanced troubleshooting use and are not intended for customer use. Schneider has also created a patch for the HTTP and FTP service that is available on selected Quantum PLC. This patch has a new feature that allows the user to disable the FTP service on modules,” the ICS-CERT advisory says.
There are still many other modules with the same vulnerabilities, and Schneider is still working on fixes for those modules.
Image from Flickr photostream of Jeremiah Roth.