Categories: Security

Schneider Electric SCADA Gateway contains Hard-Coded FTP Credentials

Narendra Shinde of Qualys Security has identified multiple vulnerabilities in Schneider Electric’s ETG3000 FactoryCast HMI Gateway.

ICS-SCADA systems are critical components of for our society, they are often vital system inside critical infrastructure, but we still continue to discover naive vulnerabilities in the software they run.

The latest surprising discovery was made by security experts is the presence of two flaws in Schneider Electric’s ETG3000 FactoryCast HMI Gateway that could be exploited by an attacker to bypass authentication process and remote access to the system’s FTP server and configuration file.

The affected versions are:

TSXETG3000 all versions,
TSXETG3010 all versions,
TSXETG3021 all versions,
TSXETG3022 all versions.

The security vulnerabilities affect different versions of the Schneider Electric gateway, which is widely used in many industries like manufacturing, energy and water. Basically the gateway implements a Web-based SCADA system.

Due to the impact of the vulnerability, the ICS-CERT has issued a security advisory to inform companies operating in the different industries.

“Narendra Shinde of Qualys Security has identified multiple vulnerabilities in Schneider Electric’s ETG3000 FactoryCast HMI Gateway. Schneider Electric has produced a firmware update that mitigates part of these vulnerabilities. These vulnerabilities could be exploited remotely.” states the advisory.”The vulnerabilities allow unauthorized remote access to the gateway’s files and FTP account.”.

Schneider Electric has anyway issued an updated version of the firmware that fix the vulnerabilities. According to the advisory a hacker could remote access to a configuration file containing the device configuration (CVE-2014-9197).

“Access to the rde.jar file containing configuration details is accessible without authentication. This could allow an attacker access to information on the setup and configuration of the gateway,” reads the advisory.

Another vulnerability, coded as CVE-2014-9198, affects the FTP server that runs on the Schneider Electric gateway and is related to hard-coded credentials.

“The ftp server of the device has hard-coded credentials. This could allow the attacker to access the service without proper authentication,” the advisory says.

The update issued by Schneider Electric fixes the FTP bug by giving users the ability to disable the FTP server, anyway it does not remove the hard-coded credentials for the FTP service.

The experts at Schneider Electric recommend customers to change the default credentials for the config files to solve the the configuration file access issue.

Pierluigi Paganini

(Security Affairs – Schneider Electric, ICS-SCADA)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.