Schneider Electric created a firmware update that mitigates part of the multiple vulnerabilities in its ETG3000 FactoryCast HMI Gateway, according to a report on ICS-CERT.
Narendra Shinde of Qualys Security discovered the multiple remotely exploitable vulnerabilities.
The following ETG3000 FactoryCast HMI Gateway’s suffer from the issues:
• TSXETG3000 all versions
• TSXETG3010 all versions
• TSXETG3021 all versions
• TSXETG3022 all versions
The vulnerabilities allow unauthorized remote access to the gateway’s files and FTP account.
Schneider Electric corporate headquarters is in Paris, France, and maintains offices in 190 countries worldwide.
The affected product, ETG3000 FactoryCast HMI Gateway, is a web-based SCADA system. According to Schneider Electric, these gateways see action across several sectors including critical manufacturing, energy, and water and wastewater systems. Schneider Electric estimates these products see use globally.
Access to the rde.jar file containing configuration details is accessible without authentication. This could allow an attacker access to information on the setup and configuration of the gateway.
CVE-2014-9197 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 10.0.
The ftp server of the device has hard-coded credentials. This could allow the attacker to access the service without proper authentication.
CVE-2014-9198 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 10.0.
No known public exploits specifically target these vulnerabilities. But an attacker with a low skill would be able to exploit these vulnerabilities.
Schneider Electric has produced an updated firmware, labeled V1.60 IR 04. This firmware release moves the jar files directory in a secure area. The new firmware also includes the ability to disable the FTP server. Users can click here to download the updated firmware.
Schneider Electric recommends users deactivate the FTP server when not needed. The firmware update does not remove the hard-coded credentials.
Narendra Shinde also found configuration files were accessible using default credentials. Schneider Electric recommends users change the default login credentials. This will protect configuration files from unauthorized access.