Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2011.1266 Schneider Electric Quantum Ethernet Module 19 December 2011 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Schneider Electric Quantum Ethernet Module Publisher: US-CERT Operating System: Network Appliance Impact/Access: Administrator Compromise -- Remote/Unauthenticated Execute Arbitrary Code/Commands -- Remote/Unauthenticated Modify Arbitrary Files -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Website Defacement -- Remote/Unauthenticated Access Confidential Data -- Remote/Unauthenticated Resolution: Mitigation CVE Names: CVE-2011-4859 Original Bulletin: http://www.us-cert.gov/control_systems/pdf/ICS-ALERT-11-346-01.pdf - --------------------------BEGIN INCLUDED TEXT-------------------- ICS-ALERT-11-346-01 Schneider Electric Quantum Ethernet Module Multiple Vulnerabilities December 12, 2011 ALERT SUMMARY On December 12, 2011, independent security researcher Rubn Santamarta publicly announced details of multiple vulnerabilities affecting the Schneider Electric Quantum Ethernet Module. Prior to publication, Mr. Santamarta notified ICS-CERT of the vulnerabilities. ICS-CERT is coordinating mitigations with Mr. Santamarta and Schneider Electric. Schneider has produced a fix for two of the reported vulnerabilities and is continuing to develop additional mitigations. Multiple hardcoded credentials are revealed in Mr. Santamartas report that enable access to the following services: * Telnet port - May allow remote attackers the ability to view the operation of the modules firmware, cause a denial of service, modify the memory of the module, and execute arbitrary code. * Windriver Debug port - Used for development; may allow remote attackers to view the operation of the modules firmware, cause a denial of service, modify the memory of the module, and execute arbitrary code. * FTP service - May allow an attacker to modify the module website, download and run custom firmware, and modify the http passwords. ICS-CERT is currently coordinating with Schneider Electric to develop mitigations. Additional information regarding the impact and mitigations will be issued as it becomes available. Please report any issues affecting control systems in critical infrastructure environments to ICS-CERT. AFFECTED PRODUCTS Quantum 140NOE77101 Firmware Version 4.9 and all previous versions. 140NOE77111 Firmware Version 5.0 and all previous versions. 140NOE77100 Firmware Version V3.4 and all previous versions. 140NOE77110 Firmware Version V3.3 and all previous versions. 140CPU65150 Firmware Version V3.5 and all previous versions. 140CPU65160 Firmware Version V3.5 and all previous versions. 140CPU65260 Firmware Version V3.5 and all previous versions. Premium TSXETY4103 Firmware Version V5.0 and all previous versions. TSXETY5103 Firmware Version V5.0 and all previous versions. TSXP571634M Firmware Version V4.9 and all previous versions. TSXP572634M Firmware Version V4.9 and all previous versions. TSXP573634M Firmware Version V4.9 and all previous versions. TSXP574634M Firmware Version V3.5 and all previous versions. TSXP575634M Firmware Version V3.5 and all previous versions. TSXP576634M Firmware Version V3.5 and all previous versions. M340 BMXNOE0100 Firmware Version V2.3 and all previous versions. BMXNOE0110 Firmware Version V4.65 and all previous versions. BMXP342020 Firmware Version V2.2 and all previous versions. a BMXP342030 Firmware Version V2.2 and all previous versions. a STB DIO STBNIC2212 Firmware Version V2.10 and all previous versions. STBNIP2311 Firmware Version V3.01 and all previous versions. STBNIP2212 Firmware Version V2.73 and all previous versions. MITIGATION Schneider Electric has created a fix for the Telnet and Windriver debug port vulnerabilities for the BMXNOE0100 and 140NOE77101 modules, which will be published on the Schneider website. This fix removes the Telnet and Windriver services from the modules. Organizations need to evaluate the impact of removing these services prior to applying this fix. ICS-CERT will provide additional information as mitigations become available for other identified vulnerabilities. ICS-CERT recommends that users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should: * Minimize network exposure for all control system devices. Control system devices should not directly face the Internet. b * Locate control system networks and devices behind firewalls, and isolate them from the business network. * If remote access is required, employ secure methods, such as Virtual Private Networks (VPNs), recognizing that VPN is only as secure as the connected devices. ICS-CERT reminds organizations to perform proper impact analysis and risk assessment prior to taking defensive measures. The Control Systems Security Program (CSSP) also provides a recommended practices section for control systems on the US-CERT website. Several recommended practices are available for reading or download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. c Organizations that observe any suspected malicious activity should follow their established internal procedures and report their findings to ICS-CERT for tracking and correlation against other incidents. ICS-CERT CONTACT ICS-CERT Operations Center 1-877-776-7585 ics-cert@dhs.gov For CSSP Information and Incident Reporting: www.ics-cert.org DOCUMENT FAQ What is an ICS-CERT Alert? An ICS-CERT Alert is intended to provide timely notification to critical infrastructure owners and operators concerning threats or activity with the potential to impact critical infrastructure computing networks. When is vulnerability attribution provided to researchers? Attribution for vulnerability discovery is always provided to the vulnerability reporter unless the reporter declines attribution. ICS-CERT encourages researchers to coordinate vulnerability details before public release. The public release of vulnerability details prior to the development of proper mitigations may put industrial control systems and the public at avoidable risk. a. These products are only affected by the FTP and hard-coded credential vulnerabilities. b. ICS-CERT ALERT, http://www.us-cert.gov/control_systems/pdf/ICS-Alert-10-301-01.pdf, website last accessed December 12, 2011 c. Control Systems Security Program (CSSP) Recommended Practices, http://www.us-cert.gov/control_systems/practices/Recommended_Practices.html, website last accessed December 12, 2011. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBTu7fAe4yVqjM2NGpAQJw1xAAv3ipwjepNffrx+zQmrZu18aNbg3uTLPs 5KpCTeDAL7zS0WjwMhHLVkFYl6J5OqeFdi0AqzrW55n2qageYj9KhmHBduOiPOXC 2+lAGYkFsucg3Gl2pH6viL/V3Rs1UFgAH8zriQTFNpOm28+RPv8n8r194NcJj5gu 0veR0Ax9HG7C20pCdbYwgNSowKMgfpqyArtlkjlyT3Hgcj1TU0UO5tZIVkoxruNs W7Au1jRtpMAHQXx3W1mHPDUIr6OdazPqGd2EUWvg1CgiIq+XCEGCWYm5jBrsLDYf ywlVnA/enx0WIMcH1pY2jE9PNbISJntboNIX6ZiTkcBewJf2uNdaxkTxHvHj3gLs SjSvX7uUd0k9n0WEO3i3+dKm5477+JB+s50XQAv7yDxJ2aV7uWK04AaZiiMzdzhv UHKqMrGwvrLelHetI8QbZyAku7wJSV/FsO7CYqSz1cwXJ+VzpaCsfkFUM0Xp3Y2T dP7V+frt9R0tj2pxhmrZpYKOrU5GbKhrVCoj/hCEHM2ZSq5Bsy0K42YiIhRoFnT8 UvFwUcIZ5+sMC/tXonQOrWVxznzjVKsdHT/ZTFZz3/L2jCa+Y6oUHjthvu7UfNft T3U3yXkBLrgv0tcfTUBdZN72Zid3mSneoL7C6T9icW1HsNTOOplMAn6CJ5PUALZ4 6Wb/UYsMDt8= =kJP3 -----END PGP SIGNATURE-----