From the advisory:
This upgrade includes a new feature that allows the user to enable or disable both the FTP and HTTP services on the modules. Disabling these services will mitigate the vulnerability mentioned above. The following products support the HTTP and FTP service enable and disable feature:
- 140NOE77101 Firmware Version 06.00 or greater, and
- 140NOE77111 Firmware Version: 06.00 or greater.
As a refresher, the original problem cited by Rubén Santamarta on this device was that it contained numerous (on some systems up to 10!) backdoor accounts which granted the ability to log in via FTP and Telnet. A previous firmware update completely disabled the Telnet interface, thankfully. This update provides the ability disable the FTP server.
The trouble is, the firmware update is performed via the FTP server! Further, assuming that we disable both HTTP and FTP, the only service left running on the Modicon now is Modbus. So how would we re-enable the FTP server in case there is a future firmware update?
My guess is that there is a way to re-enable the FTP server via Modbus, which is itself an unauthenticated protocol. If not, then Schneider's customers are now going to be locked-in, running a firmware that has known issues with the Modbus server. Principal among these is the ability to STOP PROCESS CONTROL REMOTELY, and to UPLOAD NEW LADDER LOGIC. Both features lack authentication.
Basically the Schneider
update is full of fail. The backdoor accounts are still in the device,
and a slew of unauthenticated functionality is still in the device.
The saddest part is that many ICS news blogs are saying that this is a