Schneider Doesn't Fix a Thing

| No Comments | No TrackBacks
epicfail_faldrian.jpgYesterday ICS-CERT released an updated advisory about the Schneider Modicon Quantum Ethernet boards. The advisory is vaguely-written and hides the fact that Schneider's firmware update breaks important functionality.

From the advisory:

"""
This upgrade includes a new feature that allows the user to enable or disable both the FTP and HTTP services on the modules. Disabling these services will mitigate the vulnerability mentioned above. The following products support the HTTP and FTP service enable and disable feature:

  • 140NOE77101 Firmware Version 06.00 or greater, and
  • 140NOE77111 Firmware Version: 06.00 or greater.

"""

As a refresher, the original problem cited by RubĂ©n Santamarta on this device was that it contained numerous (on some systems up to 10!) backdoor accounts which granted the ability to log in via FTP and Telnet.  A previous firmware update completely disabled the Telnet interface, thankfully.  This update provides the ability disable the FTP server.

The trouble is, the firmware update is performed via the FTP server!  Further, assuming that we disable both HTTP and FTP, the only service left running on the Modicon now is Modbus.  So how would we re-enable the FTP server in case there is a future firmware update?

My guess is that there is a way to re-enable the FTP server via Modbus, which is itself an unauthenticated protocol.  If not, then Schneider's customers are now going to be locked-in, running a firmware that has known issues with the Modbus server.  Principal among these is the ability to STOP PROCESS CONTROL REMOTELY, and to UPLOAD NEW LADDER LOGIC.  Both features lack authentication.

Basically the Schneider update is full of fail.  The backdoor accounts are still in the device, and a slew of unauthenticated functionality is still in the device.  The saddest part is that many ICS news blogs are saying that this is a 'fix.'

No TrackBacks

TrackBack URL: http://www.cyberpacifists.net/mtype/mt-tb.cgi/590

Leave a comment

About this Entry

This page contains a single entry by giminy published on September 24, 2013 8:55 AM.

What Project SHINE says about Endpoint Security was the previous entry in this blog.

Whose FDA Is It, Anyway? is the next entry in this blog.

Find recent content on the main index or look in the archives to find all content.