ID

VAR-201112-0254


CVE

CVE-2011-4861


TITLE

Schneider Electric Quantum Ethernet Module 'modbus_125_handler()' Code execution vulnerability

Trust: 1.1

sources: IVD: 4d061c68-2354-11e6-abef-000c29c66e3d // CNVD: CNVD-2011-5473 // BID: 51158

DESCRIPTION

The modbus_125_handler function in the Schneider Electric Quantum Ethernet Module on the NOE 771 device (aka the Quantum 140NOE771* module) allows remote attackers to install arbitrary firmware updates via a MODBUS 125 function code to TCP port 502. Modbus is a communication protocol that defines the message structure that the controller can recognize and use. ---------------------------------------------------------------------- Secunia is hiring! Find your next job here: http://secunia.com/company/jobs/ ---------------------------------------------------------------------- TITLE: Schneider Electric Ethernet Modules Undocumented Account Security Issues SECUNIA ADVISORY ID: SA47019 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/47019/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=47019 RELEASE DATE: 2011-12-14 DISCUSS ADVISORY: http://secunia.com/advisories/47019/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/47019/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=47019 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Ruben Santamarta has reported some security issues in multiple Schneider Electric modules, which can be exploited by malicious people to bypass certain security restrictions. 1) The Telnet service contains undocumented hardcoded credentials, which can be exploited to gain access to the service and e.g. 2) The Windriver Debug service contains undocumented hardcoded credentials, which can be exploited to gain access to the service and e.g. 3) The FTP service contains undocumented hardcoded credentials, which can be exploited to gain access to the service and e.g. modify HTTP passwords and upload malicious firmware. Please see the ICS-CERT's advisory for a list of affected products and versions. SOLUTION: Restrict access to trusted hosts only. PROVIDED AND/OR DISCOVERED BY: Ruben Santamarta ORIGINAL ADVISORY: Ruben Santamarta: http://reversemode.com/index.php?option=com_content&task=view&id=80&Itemid=1 ICS-CERT: http://www.us-cert.gov/control_systems/pdf/ICS-ALERT-11-346-01.pdf OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Trust: 4.41

sources: NVD: CVE-2011-4861 // JVNDB: JVNDB-2011-003479 // CNVD: CNVD-2011-5473 // CNVD: CNVD-2011-5303 // CNVD: CNVD-2011-5304 // CNVD: CNVD-2011-5302 // BID: 51158 // IVD: 4d061c68-2354-11e6-abef-000c29c66e3d // VULHUB: VHN-52806 // PACKETSTORM: 107894

IOT TAXONOMY

category:['ICS']sub_category: -

Trust: 2.6

sources: IVD: 4d061c68-2354-11e6-abef-000c29c66e3d // CNVD: CNVD-2011-5473 // CNVD: CNVD-2011-5303 // CNVD: CNVD-2011-5304 // CNVD: CNVD-2011-5302

AFFECTED PRODUCTS

vendor:schneidermodel:electric quantum ethernet modulescope:eqversion:x

Trust: 1.8

vendor:schneider electricmodel:quantum ethernet module 140noe77100scope:lteversion:3.4

Trust: 1.8

vendor:schneider electricmodel:quantum ethernet module 140noe77101scope:lteversion:4.9

Trust: 1.8

vendor:schneider electricmodel:quantum ethernet module 140noe77111scope:lteversion:5.0

Trust: 1.8

vendor:schneider electricmodel:quantum ethernet module 140noe77100scope:lteversion:3.3

Trust: 1.0

vendor:schneidermodel:electric quantum ethernet module 140noe77100scope:eqversion:3.4

Trust: 0.9

vendor:schneidermodel:electric quantum ethernet module 140noe77110scope:eqversion:3.3

Trust: 0.9

vendor:schneidermodel:electric quantum ethernet module 140noe77111scope:eqversion:5.0

Trust: 0.9

vendor:schneider electricmodel:quantum ethernet module 140noe77110scope:lteversion:3.3

Trust: 0.8

vendor:schneider electricmodel:quantum ethernet module 140noe77100scope:eqversion:3.4

Trust: 0.6

vendor:schneider electricmodel:quantum ethernet module 140noe77111scope:eqversion:5.0

Trust: 0.6

vendor:schneider electricmodel:quantum ethernet module 140noe77100scope:eqversion:3.3

Trust: 0.6

vendor:schneider electricmodel:quantum ethernet module 140noe77101scope:eqversion:4.9

Trust: 0.6

vendor:quantum ethernet module 140noe77100model: - scope:eqversion:*

Trust: 0.4

vendor:quantum ethernet module 140noe77101model: - scope:eqversion:*

Trust: 0.2

vendor:quantum ethernet module 140noe77111model: - scope:eqversion:*

Trust: 0.2

sources: IVD: 4d061c68-2354-11e6-abef-000c29c66e3d // CNVD: CNVD-2011-5473 // CNVD: CNVD-2011-5303 // CNVD: CNVD-2011-5304 // CNVD: CNVD-2011-5302 // BID: 51158 // JVNDB: JVNDB-2011-003479 // CNNVD: CNNVD-201112-346 // NVD: CVE-2011-4861

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2011-4861
value: HIGH

Trust: 1.0

NVD: CVE-2011-4861
value: HIGH

Trust: 0.8

CNNVD: CNNVD-201112-346
value: CRITICAL

Trust: 0.6

IVD: 4d061c68-2354-11e6-abef-000c29c66e3d
value: CRITICAL

Trust: 0.2

VULHUB: VHN-52806
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2011-4861
severity: HIGH
baseScore: 10.0
vectorString: AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

IVD: 4d061c68-2354-11e6-abef-000c29c66e3d
severity: HIGH
baseScore: 10.0
vectorString: AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.9 [IVD]

Trust: 0.2

VULHUB: VHN-52806
severity: HIGH
baseScore: 10.0
vectorString: AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: IVD: 4d061c68-2354-11e6-abef-000c29c66e3d // VULHUB: VHN-52806 // JVNDB: JVNDB-2011-003479 // CNNVD: CNNVD-201112-346 // NVD: CVE-2011-4861

PROBLEMTYPE DATA

problemtype:CWE-264

Trust: 1.9

sources: VULHUB: VHN-52806 // JVNDB: JVNDB-2011-003479 // NVD: CVE-2011-4861

THREAT TYPE

remote

Trust: 1.2

sources: CNNVD: CNNVD-201112-231 // CNNVD: CNNVD-201112-346

TYPE

permissions and access control

Trust: 0.6

sources: CNNVD: CNNVD-201112-346

CONFIGURATIONS

sources: JVNDB: JVNDB-2011-003479

PATCH

title:Top Pageurl:http://www.schneider-electric.com

Trust: 0.8

title:γ‚΅γƒγƒΌγƒˆurl:http://www.schneider-electric.co.jp/sites/japan/jp/support/contact/we-care.page

Trust: 0.8

title:Top Pageurl:http://www.schneider-electric.com/site/home/index.cfm/jp/

Trust: 0.8

title:Patch for Schneider Electric Quantum Ether Module Hardcoded Validation Credential Validation Bypass Vulnerability (CNVD-2011-5303)url:https://www.cnvd.org.cn/patchInfo/show/6294

Trust: 0.6

title:Patch for Schneider Electric Quantum Ether Module Hardcoded Validation Credential Validation Bypass Vulnerability (CNVD-2011-5304)url:https://www.cnvd.org.cn/patchInfo/show/6296

Trust: 0.6

title:Patch for Schneider Electric Quantum Ether Module Hardcoded Validation Credential Validation Bypass Vulnerability (CNVD-2011-5302)url:https://www.cnvd.org.cn/patchInfo/show/6297

Trust: 0.6

sources: CNVD: CNVD-2011-5303 // CNVD: CNVD-2011-5304 // CNVD: CNVD-2011-5302 // JVNDB: JVNDB-2011-003479

EXTERNAL IDS

db:NVDid:CVE-2011-4861

Trust: 3.6

db:ICS CERT ALERTid:ICS-ALERT-11-346-01

Trust: 3.0

db:BIDid:51046

Trust: 2.4

db:BIDid:51158

Trust: 1.0

db:CNNVDid:CNNVD-201112-346

Trust: 0.9

db:CNVDid:CNVD-2011-5473

Trust: 0.8

db:JVNDBid:JVNDB-2011-003479

Trust: 0.8

db:CNVDid:CNVD-2011-5303

Trust: 0.6

db:CNVDid:CNVD-2011-5304

Trust: 0.6

db:CNVDid:CNVD-2011-5302

Trust: 0.6

db:CNNVDid:CNNVD-201112-231

Trust: 0.6

db:IVDid:4D061C68-2354-11E6-ABEF-000C29C66E3D

Trust: 0.2

db:SECUNIAid:47019

Trust: 0.2

db:VULHUBid:VHN-52806

Trust: 0.1

db:PACKETSTORMid:107894

Trust: 0.1

sources: IVD: 4d061c68-2354-11e6-abef-000c29c66e3d // CNVD: CNVD-2011-5473 // CNVD: CNVD-2011-5303 // CNVD: CNVD-2011-5304 // CNVD: CNVD-2011-5302 // VULHUB: VHN-52806 // BID: 51158 // JVNDB: JVNDB-2011-003479 // PACKETSTORM: 107894 // CNNVD: CNNVD-201112-231 // CNNVD: CNNVD-201112-346 // NVD: CVE-2011-4861

REFERENCES

url:http://reversemode.com/index.php?option=com_content&task=view&id=80&itemid=1

Trust: 2.0

url:http://www.us-cert.gov/control_systems/pdf/ics-alert-11-346-01.pdfhttp

Trust: 1.8

url:http://www.us-cert.gov/control_systems/pdf/ics-alert-11-346-01.pdf

Trust: 1.2

url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2011-4861

Trust: 0.8

url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2011-4861

Trust: 0.8

url:http://www.securityfocus.com/bid/51158http

Trust: 0.6

url:http://www.securityfocus.com/bid/51046

Trust: 0.6

url:http://www.schneider-electric.com/site/home/index.cfm/ww/?selectcountry=true

Trust: 0.3

url:http://reversemode.com/index.php?option=com_content&task=view&id=80&itemid=1

Trust: 0.1

url:https://ca.secunia.com/?page=viewadvisory&vuln_id=47019

Trust: 0.1

url:http://secunia.com/advisories/47019/

Trust: 0.1

url:http://secunia.com/company/jobs/

Trust: 0.1

url:http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/

Trust: 0.1

url:http://secunia.com/vulnerability_intelligence/

Trust: 0.1

url:http://secunia.com/advisories/secunia_security_advisories/

Trust: 0.1

url:http://secunia.com/vulnerability_scanning/personal/

Trust: 0.1

url:http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org

Trust: 0.1

url:http://secunia.com/advisories/47019/#comments

Trust: 0.1

url:http://secunia.com/advisories/about_secunia_advisories/

Trust: 0.1

sources: CNVD: CNVD-2011-5473 // CNVD: CNVD-2011-5303 // CNVD: CNVD-2011-5304 // CNVD: CNVD-2011-5302 // VULHUB: VHN-52806 // BID: 51158 // JVNDB: JVNDB-2011-003479 // PACKETSTORM: 107894 // CNNVD: CNNVD-201112-231 // CNNVD: CNNVD-201112-346 // NVD: CVE-2011-4861

CREDITS

Rub?n Santamarta

Trust: 0.6

sources: CNNVD: CNNVD-201112-231

SOURCES

db:IVDid:4d061c68-2354-11e6-abef-000c29c66e3d
db:CNVDid:CNVD-2011-5473
db:CNVDid:CNVD-2011-5303
db:CNVDid:CNVD-2011-5304
db:CNVDid:CNVD-2011-5302
db:VULHUBid:VHN-52806
db:BIDid:51158
db:JVNDBid:JVNDB-2011-003479
db:PACKETSTORMid:107894
db:CNNVDid:CNNVD-201112-231
db:CNNVDid:CNNVD-201112-346
db:NVDid:CVE-2011-4861

LAST UPDATE DATE

2024-08-14T13:49:01.078000+00:00


SOURCES UPDATE DATE

db:CNVDid:CNVD-2011-5473date:2011-12-29T00:00:00
db:CNVDid:CNVD-2011-5303date:2011-12-15T00:00:00
db:CNVDid:CNVD-2011-5304date:2011-12-15T00:00:00
db:CNVDid:CNVD-2011-5302date:2011-12-15T00:00:00
db:VULHUBid:VHN-52806date:2011-12-21T00:00:00
db:BIDid:51158date:2011-12-21T00:00:00
db:JVNDBid:JVNDB-2011-003479date:2011-12-21T00:00:00
db:CNNVDid:CNNVD-201112-231date:2011-12-15T00:00:00
db:CNNVDid:CNNVD-201112-346date:2011-12-19T00:00:00
db:NVDid:CVE-2011-4861date:2011-12-21T05:00:00

SOURCES RELEASE DATE

db:IVDid:4d061c68-2354-11e6-abef-000c29c66e3ddate:2011-12-29T00:00:00
db:CNVDid:CNVD-2011-5473date:2011-12-29T00:00:00
db:CNVDid:CNVD-2011-5303date:2011-12-15T00:00:00
db:CNVDid:CNVD-2011-5304date:2011-12-15T00:00:00
db:CNVDid:CNVD-2011-5302date:2011-12-15T00:00:00
db:VULHUBid:VHN-52806date:2011-12-17T00:00:00
db:BIDid:51158date:2011-12-21T00:00:00
db:JVNDBid:JVNDB-2011-003479date:2011-12-21T00:00:00
db:PACKETSTORMid:107894date:2011-12-15T08:07:24
db:CNNVDid:CNNVD-201112-231date:1900-01-01T00:00:00
db:CNNVDid:CNNVD-201112-346date:2011-12-19T00:00:00
db:NVDid:CVE-2011-4861date:2011-12-17T11:55:12.370