ICS-CERT Issues New SCADA Vulnerability Advisory

Wednesday, December 14, 2011



ICS-CERT has released a security advisory regarding multiple vulnerabilities in the Schneider Electric Quantum Ethernet Module, programmable logic controller (PLC) equipment used to manage critical functions for industrial operations such as public utilities.

The vulnerabilities in the Modicon Quantum PLC were discovered by security researcher Rubén Santamarta who first alerted ICS-CERT of the problems prior to publishing an article outlining details.

Santamarta uncovered multiple hidden accounts with default passwords in the systems that could allow an attacker to remotely access the network, view and modify the module's firmware, execute arbitrary malicious code, or cause a denial of service interruption.

"On December 12, 2011, independent security researcher Rubén Santamarta publicly announced details of multiple vulnerabilities affecting the Schneider Electric Quantum Ethernet Module. Prior to publication, Mr. Santamarta notified ICS-CERT of the vulnerabilities. ICS-CERT is coordinating mitigations with Mr. Santamarta and Schneider Electric. Schneider has produced a fix for two of the reported vulnerabilities and is continuing to develop additional mitigations," the ICS-CERT advisory states.

According to the security advisory:

Multiple hardcoded credentials are revealed in Mr. Santamarta’s report that enable access to the following services:

• Telnet port – May allow remote attackers the ability to view the operation of the module’s firmware, cause a denial of service, modify the memory of the module, and execute arbitrary code.

• Windriver Debug port - Used for development; may allow remote attackers to view the operation of the module’s firmware, cause a denial of service, modify the memory of the module, and execute arbitrary code.

• FTP service – May allow an attacker to modify the module website, download and run custom firmware, and modify the http passwords.

ICS-CERT is currently working with Schneider Electric in consultation with Santamarta in an effort to produce remediation for the vulnerabilities.

"Schneider Electric has created a fix for the Telnet and Windriver debug port vulnerabilities for the BMXNOE0100 and 140NOE77101 modules, which will be published on the Schneider website. This fix removes the Telnet and Windriver services from the modules. Organizations need to evaluate the impact of removing these services prior to applying this fix. ICS-CERT will provide additional information as mitigations become available for other identified vulnerabilities," the advisory continued.

ICS-CERT recommends the following mitigation advice:

ICS-CERT recommends that users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should:

• Minimize network exposure for all control system devices. Control system devices should not directly face the Internet.

• Locate control system networks and devices behind firewalls, and isolate them from the business network.

• If remote access is required, employ secure methods, such as Virtual Private Networks (VPNs), recognizing that VPN is only as secure as the connected devices.

The full ICS-CERT advisory which includes a list of affected products can be found here:

Source:  http://www.us-cert.gov/control_systems/pdf/ICS-ALERT-11-346-01.pdf

Possibly Related Articles:
SCADA Vulnerabilities Headlines Network Security Infrastructure Alert Programmable Logic Controllers Advisory ICS ICS-CERT Industrial Control Systems Schneider Electric
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.