Some products still have to receive firmware updates

Oct 2, 2014 11:50 GMT  ·  By

A security flaw in SchneiderWEB affecting 22 products from Schneider Electric has received a fix to deny a potential remote attacker administrative access and control over a device without authentication, the company says in an advisory from September 16.

Affected products are those providing HTTP services and the Ethernet modules for M340, Quantum and Premium PLC (programmable logic controller) ranges.

The company discovered the glitch, which is now identified as CVE-2014-0754 and could lead to directory traversal attacks, during a cyber-security research along with independent researcher Billy Rios.

A directory traversal attack refers to abusing insufficient validation of user-defined file names, permitting access to the information available in the directory root. Basically, if an individual knows where certain information is located, they can access it via a web browser.

Not all affected products received a patch

Exploiting the security flaw does not require advanced knowledge, and the vulnerability has been assigned an overall score of 9.3, according to the advisory from the company; additional details reveal that the complexity of an attack leveraging the flaw is medium, and as far as data is concerned, the attacker has complete access to it.

“Schneider Electric takes these vulnerabilities very seriously and we have devoted resources to immediately investigate and address this issue. We believe it is critical to consider the whole picture, including safety, security and reliability. Any patches/solutions/mitigations we release will be carefully tested to ensure that they can be deployed in a manner that is both safe and secure,” the company says in the advisory.

According to the document, a fix has not been released for all affected products. Customers can download the latest firmware for some of the devices impacted and are offered advice on how to mitigate the risk on the unpatched products.

Company recommends increased security measures

The company recommends its customers to use a deep packet inspection firewall to prevent HTTP requests containing traversals in the URL. On the same note, the company advises disabling port 80 on modules, if possible, and blocking it in firewalls when used by affected devices, allowing it only for trusted devices.

This vulnerability is particularly important because Schneider Electric products are available in many automation and control applications in different industrial, infrastructure and building sectors.

The company says that SchneiderWEB is used in sectors such as communications, critical manufacturing, energy and water and wastewater systems across the globe.

Among the general recommendations of the company for its customers as far as use of its industrial automation products is concerned is placing PLCs behind one or more firewalls in order to limit access only to authorized individuals and protocols.