CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
EPSS
Percentile
92.3%
--------- Begin Update B Part 1 of 3 --------
This updated advisory is a follow-up to the updated advisory titled ICSA-12-018-01A Schneider Electric Quantum Ethernet Module Hard-Coded Credentials that was published on June 04, 2013, on the ICS-CERT Web site. It is also a follow-up to the original alert titled ICSāALERT-11-346-01 Schneider Electric Quantum Ethernet Module Credentials that was published December 12, 2011, on the ICS-CERT Web page. This advisory corrects and expands on the details in the specified alert and subsequent advisory updates.
On December 12, 2011, independent security researcher RubĆ©n Santamarta publicly announced information regarding hard-coded credentials in the Schneider Electric Quantum Ethernet Module. The credentials publicized grant access to the Telnet port, Windriver Debug port, and the FTP service. Prior to publication, Mr. Santamarta coordinated these vulnerabilities with ICSāCERT.
ICS-CERT has coordinated with Schneider Electric, and they have produced patches and firmware upgrades for Quantum and other affected products.
The following products and versions are affected:
Quantum
Any available conformal-coated versions of the above part numbers.
Premium
Any available conformal-coated versions of the above part numbers.
M340
The following products are affected by the FTP Service vulnerabilities only (not affected by Telnet or Windriver Debug vulnerabilities)****:
Successful exploitation of these vulnerabilities may allow an attacker to gain elevated privileges, to load a modified firmware, or to perform other malicious activities on the system.
Impact to individual organizations depends on many factors that are unique to each organization. ICSāCERT recommends that organizations evaluate the impact of these vulnerabilities based on their operational environment, architecture, and product implementation.
Schneider Electric is a manufacturer and integrator of energy management and industrial automation systems, equipment, and software. The affected Schneider Electric systems are found primarily in energy, manufacturing, and infrastructure applications. Schneider Electric reports operations in over 100 countries worldwide.
Mr. Santamartaās report revealed multiple hard-coded credentials that enable access to the following services:
CVE-2011-4859NVD, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4859, Web site last accessed June 04, 2013. has been assigned to this vulnerability group. A CVSS V2 base score of 10 has also been assigned.
These vulnerabilities are remotely exploitable.
Public exploits are known to target these vulnerabilities.
An attacker with a low skill level could exploit these vulnerabilities.
Schneider Electric has created firmware upgrades that resolve the Telnet and Windriver debug port vulnerabilities for all affected products by removing the Telnet and Windriver services from these modules. According to Schneider Electric, removing these services will not affect the capacities/functionalities of the product or impact the performance of customer installations. Telnet and Windriver debug services were installed only for advanced troubleshooting use and were never intended for customer use.
Schneider Electric has posted firmware upgrades on their Web site, <http://www.schneider-electric.com/download/ww/en/results/3541958-SoftwareFirmware/>. Users should ensure they are using the minimum versions referenced below:
Quantum
Premium
M340
Schneider has also released a firmware upgrade to address the FTP service vulnerability referenced above. It is available on selected Quantum programmable logic controller modules. This upgrade includes a new feature that allows the user to enable or disable both the FTP and HTTP services on the modules. Disabling these services will mitigate the vulnerability mentioned above. The following products support the HTTP and FTP service enable and disable feature:
Organizations need to evaluate the impact of removing these services prior to applying this fix. ICSāCERT will provide additional information as mitigations become available for other identified vulnerabilities.
ICSāCERT encourages asset owners to take additional defensive measures to protect against this and other cybersecurity risks.
The Control Systems Security Program (CSSP) also provides a section for control systems security recommended practices on the CSSP web page. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. ICSāCERT reminds organizations to perform proper impact analysis and risk assessment prior to taking defensive measures.
Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to ICSāCERT for tracking and correlation against other incidents.
In addition, ICSāCERT recommends that users take the following measures to protect themselves from social engineering attacks:
www.schneider-electric.com/download/ww/en/results/3541958-SoftwareFirmware/
cisasurvey.gov1.qualtrics.com/jfe/form/SV_9n4TtB8uttUPaM6?product=https://www.cisa.gov/news-events/ics-advisories/icsa-12-018-01b
public.govdelivery.com/accounts/USDHSCISA/subscriber/new?topic_id=USDHSCISA_138
twitter.com/CISAgov
twitter.com/intent/tweet?text=Schneider%20Electric%20Quantum%20Ethernet%20Module%20Hard-Coded%20Credentials%20%28Update%20B%29+https://www.cisa.gov/news-events/ics-advisories/icsa-12-018-01b
www.dhs.gov
www.dhs.gov/foia
www.dhs.gov/performance-financial-reports
www.facebook.com/CISA
www.facebook.com/sharer/sharer.php?u=https://www.cisa.gov/news-events/ics-advisories/icsa-12-018-01b&title=Schneider%20Electric%20Quantum%20Ethernet%20Module%20Hard-Coded%20Credentials%20%28Update%20B%29
www.instagram.com/cisagov
www.linkedin.com/company/cybersecurity-and-infrastructure-security-agency
www.linkedin.com/sharing/share-offsite/?url=https://www.cisa.gov/news-events/ics-advisories/icsa-12-018-01b
www.oig.dhs.gov/
www.usa.gov/
www.whitehouse.gov/
www.youtube.com/@cisagov
mailto:?subject=Schneider%20Electric%20Quantum%20Ethernet%20Module%20Hard-Coded%20Credentials%20%28Update%20B%29&body=www.cisa.gov/news-events/ics-advisories/icsa-12-018-01b