Two years after a hard-coded credentials bug was reported that could allow attackers to gain remote access to a variety of industrial control system products manufactured by Schneider Electric, the company has announced they have released updated firmware to mitigate the vulnerability.
In December of 2011, security researcher Rubén Santamarta announced he had discovered a hard-coded credentials flaw in the Schneider Electric Quantum Ethernet Module which could allow attackers remote access to the “Telnet port, Windriver Debug port, and the FTP service.”
ICS‑CERT worked with Santamarta on responsible disclosure and first published an advisory in March of this year. Now, nearly two years later, Schneider Electric has apparently remedied the problem.
“Schneider Electric has created firmware upgrades that resolve the Telnet and Windriver debug port vulnerabilities for all affected products by removing the Telnet and Windriver services from these modules,” ICS‑CERT stated.
“According to Schneider Electric, removing these services will not affect the capacities/functionalities of the product or impact the performance of customer installations. Telnet and Windriver debug services were installed only for advanced troubleshooting use and were never intended for customer use,” the advisory continued.
“Schneider has also released a firmware upgrade to address the FTP service vulnerability referenced above. It is available on selected Quantum programmable logic controller modules. This upgrade includes a new feature that allows the user to enable or disable both the FTP and HTTP services on the modules. Disabling these services will mitigate the vulnerability mentioned above.”
Given the importance of security with regards to protecting critical infrastructure, a two-year process from disclosure to patching is at the very least concerning.
Read More Here…