Home -> Resources -> SCADA/ICS Vulnerability Reference -> Schneider Electric Quantum

Schneider Electric Quantum Ethernet Module Multiple Vulnerabilities

December 12, 2011

Security researcher Rubin Santamarta publicly announced details of mulitple vulnerabilities affecting the Schneider Electric Quantum PLC Ethernet Module, and coordinated his findings with ICS-CERT. The Quantum Ethernet Module is prone to an authentication-bypass vulnerability.

Attackers can exploit this issue to gain access to the Telnet port service, Windriver Debug port service, and FTP service.

Attackers can exploit this vulnerability to execute arbitrary code within the context of the vulnerable device. Schnedier has produced a fix for two of the reported vulnerabilities (as of December 12) and is continuing to develop additional mitigations.

Affected products include:

Quantum
 - 140NOE77101 Firmware Version 4.9 and all previous versions
 - 140NOE77111 Firmware Version 5.0 and all previous versions
 - 140NOE77100 Firmware Version V3.4 and all previous versions
 - 140NOE77110 Firmware Version V3.3 and all previous versions
 - 140CPU65150 Firmware Version V3.5 and all previous versions
 - 140CPU65160 Firmware Version V3.5 and all previous versions
 - 140CPU65260 Firmware Version V3.5 and all previous versions
Premium
 - TSXETY4103 Firmware Version V5.0 and all previous versions
 - TSXETY5103 Firmware Version V5.0 and all previous versions
 - TSXP571634M Firmware Version V4.9 and all previous versions
 - TSXP572634M Firmware Version V4.9 and all previous versions
 - TSXP573634M Firmware Version V4.9 and all previous versions
 - TSXP574634M Firmware Version V3.5 and all previous versions
 - TSXP575634M Firmware Version V3.5 and all previous versions
 - TSXP576634M Firmware Version V3.5 and all previous versions
M340
 - BMXNOE0100 Firmware Version V2.3 and all previous versions
 - BMXNOE0110 Firmware Version V4.65 and all previous versions
 - BMXP342020 Firmware Version V2.2 and all previous versions
 - BMXP342030 Firmware Version V2.2 and all previous versions
STB DIO
 - STBNIC2212 Firmware Version V2.10 and all previous versions
 - STBNIP2311 Firmware Version V3.01 and all previous versions
 - STBNIP2212 Firmware Version V2.73 and all previous versions

ICS-CERT Advisories / Alerts

ICS-ALERT-11-346-01

Vendor Website (include Patches / Hotfixes)

Schneider Electric Modicon Quantum PLC Product Info

Exploit Proof-of-Concept

An attacker can use readily available network utilities to exploit this issue.

Common Vulnerability & Exposure (CVE) References

Not available at this time.

Additional Information

Disclosure (Ruben Santamarta) - Reversing Industrial Firmware for Fun and Backdoors
Secunia Vulnerability Report and Statistics on Quantum Series Modules
Security Focus Vulnerability Info and Exploit Bugtraq ID 51046

Holes in Schneider Ethernet Module (ISSSource)
Backdoors in Industrial Control Systems (H-Online)