-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2014.0109
         A vulnerability has been identified in Schneider Electric
                Modicon PLC Ethernet Communication Modules
                             25 September 2014

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              Schneider Electric Modicon PLC Ethernet Communication Modules
Operating System:     Network Appliance
Impact/Access:        Unauthorised Access -- Remote/Unauthenticated
Resolution:           Patch/Upgrade
Member content until: Saturday, October 25 2014

OVERVIEW

        A vulnerability has been identified in Schneider Electric Modicon PLC
        Ethernet Communication Modules for M340, Quantum and Premium PLC 
        ranges, and other Schneider Electric products providing HTTP services.


IMPACT

        The vendor has provided the following details regarding this 
        vulnerability:
        
        "This vulnerability allows an attacker to bypass the basic 
        authentication on the web server. Using directory traversals an 
        attacker can bypass the basic authentication mechanism in the web 
        server and gain unauthorized access to protected resources. This 
        vulnerability would require network access to the target device 
        through TCP/IP and particularly HTTP.
        
        These vulnerabilities were discovered during cyber security research
        both by an external researcher and by Schneider Electric internal 
        investigations. We have no evidence that these vulnerabilities have
        been exploited.
        
        Schneider Electric takes these vulnerabilities very seriously and we
        have devoted resources to immediately investigate and address this 
        issue. We believe it is critical to consider the whole picture, 
        including safety, security and reliability. Any 
        patches/solutions/mitigations we release will be carefully tested to
        ensure that they can be deployed in a manner that is both safe and 
        secure." [1]
        
        "Overall CVSS Score: 9.3 
        (AV:N/AC:M/Au:N/C:C/I:C/A:C/E:ND/RL:W/RC:C/CDP:H/TD:H/CR:H/IR:H/AR:H)"
        [1]


MITIGATION

        Schneider Electric has released firmware to correct this 
        vulnerability for the following products:
        
        140CPU65150 Exec v5.5
        
        TSXETY5103 Exec v5.9
        
        140CPU65160 Exec v5.5
        
        TSXETY5103C Exec v5.9
        
        140CPU65260 Exec v5.5
        
        TSXP571634M ETYPort Exec v5.7
        
        140NOC78000 Exec v1.62
        
        TSXP572634M ETYPort Exec v5.7
        
        140NOC78100 Exec v1.62
        
        TSXP573634M ETYPort Exec v5.7
        
        140NOE77101 Exec v6.2
        
        TSXP574634M Ethernet Copro Exec v5.5
        
        140NOE77111 Exec v6.2
        
        TSXP575634M Ethernet Copro Exec v5.5
        
        BMXNOC0401 v2.05
        
        TSXP576634M Ethernet Copro Exec v5.5
        
        BMXNOE0100 v2.9
        
        BMXNOE0110 Exec v6.0
        
        BMXNOE0110H Exec v6.0
        
        TSXETC101 Exec v2.04
        
        TSXETY4103 Exec V5.7
        
        TSXETY4103C Exec V5.7


REFERENCES

        [1] Important Security Notification - Modicon PLC Ethernet
            Communication Modules
            http://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2014-260-01

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBVCOqfhLndAQH1ShLAQIaPw//ZDMrnMYULSkC7L6btUmoH3VLztF7ANv8
FxxTtWpmvtHbkvwzllgPASYUcEpJ2d1n1L5Eq6kmYU5DRuNYZMdkTiEyE9T+pTUp
WMxxv9Kz0Rck9VEYfkya+rQsDpwfuFv79sSFTxb2aU/Lfek/t3H6E045zOcEY7RS
uY1THDpdYLrXgpsvAltKWkDKHdaLXr02Uu5H/3x7gb+nhVMx+4gUW2qr7JxA8Kll
A9ZT8VMLu9lTIZO5K/zRj4ltZUji+smCre5UyGnkMFSRrI+2pGk3eTTdJeHmjXye
idivG7nuaAIZ3dnyWOrB6KZ8LqwinwuViKKQmlTukqS9CaFoRrfhWwvF+nCsaVeD
PGpr/g6TAf9ZxVMDaMshFcx0SMS7oUsDVLU5bIsRxK4UVmKn3uv0xfzPlYGtVDgm
Ao2JOhWqHo8PLg8KHVdxwPY+vp3qpPWk7BNZtHPTz2sxh5SdUsxHz87n9WSdeREF
l0yb+Xp9S83/KAEfKg/xhgyj7zTEAh1xWjJaSbOdL4vI8rfgRmZZo6CE1v0XEyGX
RR/vbyJagIPeFNsdMD6KH+p2Irk7RYUNEafwWbzFGp78l224N5jDGvuke4BFeQg0
OtdxvR1pd1Ej5igWRT0MPhKoq0NjVBQBPHLqZ+AYDD+JmLwRnWoFKwjNevUVGADI
9o+/AMAOhw8=
=/bIW
-----END PGP SIGNATURE-----