Schneider Electric SCADA Gateway contains Hard-Coded FTP Credentials

Pierluigi Paganini January 22, 2015

Narendra Shinde of Qualys Security has identified multiple vulnerabilities in Schneider Electric’s ETG3000 FactoryCast HMI Gateway.

ICS-SCADA systems are critical components of for our society, they are often vital system inside critical infrastructure, but we still continue to discover naive vulnerabilities in the software they run.

The latest surprising discovery was made by security experts is the presence of two flaws in Schneider Electric’s ETG3000 FactoryCast HMI Gateway that could be exploited by an attacker to bypass authentication process and remote access to the system’s FTP server and configuration file.

The affected versions are:

  • TSXETG3000 all versions,
  • TSXETG3010 all versions,
  • TSXETG3021 all versions,
  • TSXETG3022 all versions.

The security vulnerabilities affect different versions of the Schneider Electric gateway, which is widely used in many industries like manufacturing, energy and water. Basically the gateway implements a Web-based SCADA system.

Schneider Electric flaws ETG3000 FactoryCast HMI Gateway

Due to the impact of the vulnerability, the ICS-CERT has issued a security advisory to inform companies operating in the different industries.

“Narendra Shinde of Qualys Security has identified multiple vulnerabilities in Schneider Electric’s ETG3000 FactoryCast HMI Gateway. Schneider Electric has produced a firmware update that mitigates part of these vulnerabilities. These vulnerabilities could be exploited remotely.” states the advisory.”The vulnerabilities allow unauthorized remote access to the gateway’s files and FTP account.”.

Schneider Electric has anyway issued an updated version of the firmware that fix the vulnerabilities. According to the advisory a hacker could remote access to a configuration file containing the device configuration (CVE-2014-9197).

“Access to the rde.jar file containing configuration details is accessible without authentication. This could allow an attacker access to information on the setup and configuration of the gateway,” reads the advisory.

Another vulnerability, coded as CVE-2014-9198, affects the FTP server that runs on the Schneider Electric gateway and is related to hard-coded credentials.

“The ftp server of the device has hard-coded credentials. This could allow the attacker to access the service without proper authentication,” the advisory says.

The update issued by Schneider Electric fixes the FTP bug by giving users the ability to disable the FTP server, anyway it does not remove the hard-coded credentials for the FTP service.

The experts at Schneider Electric recommend customers to change the default credentials for the config files to solve the the configuration file access issue.

Pierluigi Paganini

(Security Affairs – Schneider Electric, ICS-SCADA)

you might also like

leave a comment