September 23, 2014

ICS-CERT Warns of Hardcoded Backdoors in Industrial Control Systems

(LiveHacking.Com) – Independent security researcher Rubén Santamarta has published details of hardcoded backdoors in the Schneider Electric NOE771 Quantum Ethernet Module. Subsequently the US Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) has published an alert warning of the multiple vulnerabilities in the module.

The backdoors are as follows:

  • Telnet port – May allow remote attackers the ability to view the operation of the module’s firmware, cause a denial of service, modify the memory of the module, and execute arbitrary code.
  • Windriver Debug port – Used for development; may allow remote attackers to view the operation of the module’s firmware, cause a denial of service, modify the memory of the module, and execute arbitrary code.
  • FTP service – May allow an attacker to modify the module website, download and run custom firmware, and modify the http passwords.

Rubén’s research shows are creditionals are hardcoded in Java Jar files stored on the device. For example Rubén shows the ftp username (‘sysdiag’) and password. The result is that:

  • Modicon PLCs can be compromise via the NOE Ethernet modules through ftp, telnet, modbus, WDB, snmp, web etc.
  • An attacker could load their own trojanized firmware.
  • There are non-documented hidden accounts that can be used to compromise a PLC.

The affected products are:

Quantum

  • 140NOE77101 Firmware Version 4.9 and all previous versions.
  • 140NOE77111 Firmware Version 5.0 and all previous versions.
  • 140NOE77100 Firmware Version V3.4 and all previous versions.
  • 140NOE77110 Firmware Version V3.3 and all previous versions.
  • 140CPU65150 Firmware Version V3.5 and all previous versions.
  • 140CPU65160 Firmware Version V3.5 and all previous versions.
  • 140CPU65260 Firmware Version V3.5 and all previous versions.

Premium

  • TSXETY4103 Firmware Version V5.0 and all previous versions.
  • TSXETY5103 Firmware Version V5.0 and all previous versions.
  • TSXP571634M Firmware Version V4.9 and all previous versions.
  • TSXP572634M Firmware Version V4.9 and all previous versions.
  • TSXP573634M Firmware Version V4.9 and all previous versions.
  • TSXP574634M Firmware Version V3.5 and all previous versions.
  • TSXP575634M Firmware Version V3.5 and all previous versions.
  • TSXP576634M Firmware Version V3.5 and all previous versions.

M340

  • BMXNOE0100 Firmware Version V2.3 and all previous versions.
  • BMXNOE0110 Firmware Version V4.65 and all previous versions.
  • BMXP342020 Firmware Version V2.2 and all previous versions.
  • BMXP342030 Firmware Version V2.2 and all previous versions.

STB DIO

  • STBNIC2212 Firmware Version V2.10 and all previous versions.
  • STBNIP2311 Firmware Version V3.01 and all previous versions.
  • STBNIP2212 Firmware Version V2.73 and all previous versions.

 

Schneider Electric has created a fix for the Telnet and Windriver debug port vulnerabilities for the BMXNOE0100 and 140NOE77101 modules by removing them from the firmware. The fixes will be published on the Schneider website.