FTP server should be disabled for full risk mitigation

Jan 21, 2015 16:33 GMT  ·  By

A security issue has been discovered in Schneider Electric’s ETG3000 FactoryCast HMI Gateway series, allowing a potential attacker to gain access to SCADA systems produced by the company based on available hard-coded FTP credentials.

The attacker would not be required to authenticate and they could be able to remote access the FTP server included in the product.

Vulnerabilities can be exploited remotely

Identified as CVE-2014-9198, the security issue has been assigned the maximum severity score as per the Common Vulnerability Scoring System (CVSS), an advisory from ICS-CERT (Industrial Control Systems Cyber Emergency Response Team) informed on Tuesday.

An HMI (human machine interface) is used in a manufacturing or process control system and allows monitoring the state of the production machines, as well as controlling them. Depending on the product, this operation can be carried out from different devices, including mobile ones, and oftentimes there is the possibility of remote control.

Apart from CVE-2014-9198, researchers discovered another critical vulnerability that permits access to the rde.jar file, which holds the configuration settings of the gateway.

ICS-CERT informs that this flaw can also be exploited remotely by a threat actor without having to authenticate.

Narendra Shinde of Qualys Security found that the configuration files can also be accessed using the default username and password pair provided by the manufacturer.

Patch is available, but default FTP credentials still present a risk

The list of products affected by the two security issues includes all versions of TSXETG3000, TSXETG3010, TSXETG3021 and TSXETG3022.

Schneider Electric has already made available a patch that mitigates the risks. After applying it, the rde.jar file is moved to a secure location and permits the user to disable the FTP server. However, it must be noted that the hard-coded credentials will still be available and the product is vulnerable whenever the FTP functionality is turned on.

Schneider Electric advises users to change the default log-in credentials as they would allow access to the setup information.

The general recommendation from ICS-CERT is to minimize exposure of all control system devices and make sure that they cannot be accessed from the Internet. On the same note, it is advisable to isolate from the business network the machines that are behind firewalls and rely on VPN connections for remote access.