Vulnerabilities > CVE-2011-4859 - Multiple Security vulnerability in Schneider Electric Modicon Quantum
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
COMPLETE Integrity impact
COMPLETE Availability impact
COMPLETE Summary
The Schneider Electric Quantum Ethernet Module, as used in the Quantum 140NOE771* and 140CPU65* modules, the Premium TSXETY* and TSXP57* modules, the M340 BMXNOE01* and BMXP3420* modules, and the STB DIO STBNIC2212 and STBNIP2* modules, uses hardcoded passwords for the (1) AUTCSE, (2) AUT_CSE, (3) fdrusers, (4) ftpuser, (5) loader, (6) nic2212, (7) nimrohs2212, (8) nip2212, (9) noe77111_v500, (10) ntpupdate, (11) pcfactory, (12) sysdiag, (13) target, (14) test, (15) USER, and (16) webserver accounts, which makes it easier for remote attackers to obtain access via the (a) TELNET, (b) Windriver Debug, or (c) FTP port.
Vulnerable Configurations
Seebug
| bulletinFamily | exploit |
| description | 通过分析设备固件可以得知,文件系统中包含硬编码方式保存的用户凭证信息。 这些信息主要用于提供对外的FTP服务升级服务。 其中,问题代码位于**/FLASH0/wwwroot/classes/SACommjar** 包中,具体的Package路径: **com.schneiderautomation.misc.TextFiles**的第266行至268行位置。 ``` package com.schneiderautomation.misc; import com.schneiderautomation.ftpsession.FTPSession; import com.schneiderautomation.ftpsession.FileInfo; import com.schneiderautomation.ftpsession.FtpSessionException; import java.io.BufferedInputStream; import java.io.BufferedOutputStream; import java.io.BufferedReader; import java.io.BufferedWriter; import java.io.IOException; import java.io.InputStream; import java.io.InputStreamReader; import java.io.OutputStreamWriter; import java.io.Writer; import java.net.URL; import java.net.URLConnection; import java.util.Locale; import java.util.Vector; public class TextFiles { private static final String USER = "sysdiag"; private static final String PASSWORD = "factorycast@schneider"; private boolean fAutoConnect = true; private Thread engine = null; private String host; private Locale locale; private FTPSession ftp; .... private void connect() throws IOException { if (this.fAutoConnect) try { this.ftp = new FTPSession(this.locale); this.ftp.connectHost(this.host); this.ftp.login("sysdiag", "factorycast@schneider"); //CVE-2011-4859 } catch (FtpSessionException localFtpSessionException) { if (this.ftp != null) disconnect(); throw new IOException(localFtpSessionException.getMessage()); } } .... } ``` 通过[ZoomEye](http://www.zoomeye.org/)系统提供的Dork [["Schneider Web"]](http://www.zoomeye.org/search?q=%22Schneider+Web%22) 可获悉部分设备在互联网上的部署情况,可通过FTP命令尝试登录验证。 引用: * [《施耐德PLC以太网模块固件后门引发的血案》作者:Kimon | 微信公众号:HackEver](http://mp.weixin.qq.com/s?__biz=MzA5OTMwMzY1NQ==&mid=207033762&idx=1&sn=e629b1db9f43937cba6d5707c707450d&3rd=MzA3MDU4NTYzMw==&scene=6#rd) * [《施耐德PLC以太网模块后门账户解密》](http://plcscan.org/blog/2014/06/schneider-electric-quantum-ethernet-module-hard-coded-credentials) * [《Alert (ICS-ALERT-11-346-01)》](http://www.us-cert.gov/control_systems/pdf/ICS-ALERT-11-346-01.pdf) |
| id | SSV:89384 |
| last seen | 2017-11-19 |
| modified | 2015-09-09 |
| published | 2015-09-09 |
| reporter | Fooying |
| source | https://www.seebug.org/vuldb/ssvid-89384 |
| title | 施耐德(Schneider) PLC 以太网模块固件后门 |
References
- http://reversemode.com/index.php?option=com_content&task=view&id=80&Itemid=1
- http://secunia.com/advisories/47723
- http://www.securityfocus.com/bid/51605
- http://www.us-cert.gov/control_systems/pdf/ICSA-12-018-01.pdf
- http://www.us-cert.gov/control_systems/pdf/ICS-ALERT-11-346-01.pdf
- http://www.us-cert.gov/control_systems/pdf/ICS-ALERT-12-020-03.pdf
- https://exchange.xforce.ibmcloud.com/vulnerabilities/72587