Details of VAR-201112-0254

ID

VAR-201112-0254

CVE

CVE-2011-4861

TITLE

Schneider Electric Quantum Ethernet Module 'modbus_125_handler()' Code execution vulnerability

Trust: 1.1

sources: IVD: 4d061c68-2354-11e6-abef-000c29c66e3d // CNVD: CNVD-2011-5473 // BID: 51158

DESCRIPTION

The modbus_125_handler function in the Schneider Electric Quantum Ethernet Module on the NOE 771 device (aka the Quantum 140NOE771* module) allows remote attackers to install arbitrary firmware updates via a MODBUS 125 function code to TCP port 502. Modbus is a communication protocol that defines the message structure that the controller can recognize and use. ---------------------------------------------------------------------- Secunia is hiring! Find your next job here: http://secunia.com/company/jobs/ ---------------------------------------------------------------------- TITLE: Schneider Electric Ethernet Modules Undocumented Account Security Issues SECUNIA ADVISORY ID: SA47019 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/47019/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=47019 RELEASE DATE: 2011-12-14 DISCUSS ADVISORY: http://secunia.com/advisories/47019/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/47019/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=47019 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Ruben Santamarta has reported some security issues in multiple Schneider Electric modules, which can be exploited by malicious people to bypass certain security restrictions. 1) The Telnet service contains undocumented hardcoded credentials, which can be exploited to gain access to the service and e.g. 2) The Windriver Debug service contains undocumented hardcoded credentials, which can be exploited to gain access to the service and e.g. 3) The FTP service contains undocumented hardcoded credentials, which can be exploited to gain access to the service and e.g. modify HTTP passwords and upload malicious firmware. Please see the ICS-CERT's advisory for a list of affected products and versions. SOLUTION: Restrict access to trusted hosts only. PROVIDED AND/OR DISCOVERED BY: Ruben Santamarta ORIGINAL ADVISORY: Ruben Santamarta: http://reversemode.com/index.php?option=com_content&task=view&id=80&Itemid=1 ICS-CERT: http://www.us-cert.gov/control_systems/pdf/ICS-ALERT-11-346-01.pdf OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Trust: 4.41

sources: NVD: CVE-2011-4861 // JVNDB: JVNDB-2011-003479 // CNVD: CNVD-2011-5473 // CNVD: CNVD-2011-5303 // CNVD: CNVD-2011-5304 // CNVD: CNVD-2011-5302 // BID: 51158 // IVD: 4d061c68-2354-11e6-abef-000c29c66e3d // VULHUB: VHN-52806 // PACKETSTORM: 107894

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 2.6

sources: IVD: 4d061c68-2354-11e6-abef-000c29c66e3d // CNVD: CNVD-2011-5473 // CNVD: CNVD-2011-5303 // CNVD: CNVD-2011-5304 // CNVD: CNVD-2011-5302

AFFECTED PRODUCTS

vendor:	schneider	model:	electric quantum ethernet module	scope:	eq	version:	x	Trust: 1.8
vendor:	schneider electric	model:	quantum ethernet module 140noe77100	scope:	lte	version:	3.4	Trust: 1.8
vendor:	schneider electric	model:	quantum ethernet module 140noe77101	scope:	lte	version:	4.9	Trust: 1.8
vendor:	schneider electric	model:	quantum ethernet module 140noe77111	scope:	lte	version:	5.0	Trust: 1.8
vendor:	schneider electric	model:	quantum ethernet module 140noe77100	scope:	lte	version:	3.3	Trust: 1.0
vendor:	schneider	model:	electric quantum ethernet module 140noe77100	scope:	eq	version:	3.4	Trust: 0.9
vendor:	schneider	model:	electric quantum ethernet module 140noe77110	scope:	eq	version:	3.3	Trust: 0.9
vendor:	schneider	model:	electric quantum ethernet module 140noe77111	scope:	eq	version:	5.0	Trust: 0.9
vendor:	schneider electric	model:	quantum ethernet module 140noe77110	scope:	lte	version:	3.3	Trust: 0.8
vendor:	schneider electric	model:	quantum ethernet module 140noe77100	scope:	eq	version:	3.4	Trust: 0.6
vendor:	schneider electric	model:	quantum ethernet module 140noe77111	scope:	eq	version:	5.0	Trust: 0.6
vendor:	schneider electric	model:	quantum ethernet module 140noe77100	scope:	eq	version:	3.3	Trust: 0.6
vendor:	schneider electric	model:	quantum ethernet module 140noe77101	scope:	eq	version:	4.9	Trust: 0.6
vendor:	quantum ethernet module 140noe77100	model:	-	scope:	eq	version:	*	Trust: 0.4
vendor:	quantum ethernet module 140noe77101	model:	-	scope:	eq	version:	*	Trust: 0.2
vendor:	quantum ethernet module 140noe77111	model:	-	scope:	eq	version:	*	Trust: 0.2

sources: IVD: 4d061c68-2354-11e6-abef-000c29c66e3d // CNVD: CNVD-2011-5473 // CNVD: CNVD-2011-5303 // CNVD: CNVD-2011-5304 // CNVD: CNVD-2011-5302 // BID: 51158 // JVNDB: JVNDB-2011-003479 // CNNVD: CNNVD-201112-346 // NVD: CVE-2011-4861

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2011-4861
value:	HIGH
Trust: 1.0
NVD:	CVE-2011-4861
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-201112-346
value:	CRITICAL
Trust: 0.6
IVD:	4d061c68-2354-11e6-abef-000c29c66e3d
value:	CRITICAL
Trust: 0.2
VULHUB:	VHN-52806
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2011-4861
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
IVD:	4d061c68-2354-11e6-abef-000c29c66e3d
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.9 [IVD]
Trust: 0.2
VULHUB:	VHN-52806
severity:	HIGH
baseScore:	10.0
vectorString:	AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	10.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: IVD: 4d061c68-2354-11e6-abef-000c29c66e3d // VULHUB: VHN-52806 // JVNDB: JVNDB-2011-003479 // CNNVD: CNNVD-201112-346 // NVD: CVE-2011-4861

PROBLEMTYPE DATA

problemtype:

CWE-264

Trust: 1.9

sources: VULHUB: VHN-52806 // JVNDB: JVNDB-2011-003479 // NVD: CVE-2011-4861

THREAT TYPE

remote

Trust: 1.2

sources: CNNVD: CNNVD-201112-231 // CNNVD: CNNVD-201112-346

TYPE

permissions and access control

Trust: 0.6

sources: CNNVD: CNNVD-201112-346

CONFIGURATIONS

sources: JVNDB: JVNDB-2011-003479

PATCH

title:	Top Page	url:	http://www.schneider-electric.com	Trust: 0.8
title:	サポート	url:	http://www.schneider-electric.co.jp/sites/japan/jp/support/contact/we-care.page	Trust: 0.8
title:	Top Page	url:	http://www.schneider-electric.com/site/home/index.cfm/jp/	Trust: 0.8
title:	Patch for Schneider Electric Quantum Ether Module Hardcoded Validation Credential Validation Bypass Vulnerability (CNVD-2011-5303)	url:	https://www.cnvd.org.cn/patchInfo/show/6294	Trust: 0.6
title:	Patch for Schneider Electric Quantum Ether Module Hardcoded Validation Credential Validation Bypass Vulnerability (CNVD-2011-5304)	url:	https://www.cnvd.org.cn/patchInfo/show/6296	Trust: 0.6
title:	Patch for Schneider Electric Quantum Ether Module Hardcoded Validation Credential Validation Bypass Vulnerability (CNVD-2011-5302)	url:	https://www.cnvd.org.cn/patchInfo/show/6297	Trust: 0.6

sources: CNVD: CNVD-2011-5303 // CNVD: CNVD-2011-5304 // CNVD: CNVD-2011-5302 // JVNDB: JVNDB-2011-003479

EXTERNAL IDS

db:	NVD	id:	CVE-2011-4861	Trust: 3.6
db:	ICS CERT ALERT	id:	ICS-ALERT-11-346-01	Trust: 3.0
db:	BID	id:	51046	Trust: 2.4
db:	BID	id:	51158	Trust: 1.0
db:	CNNVD	id:	CNNVD-201112-346	Trust: 0.9
db:	CNVD	id:	CNVD-2011-5473	Trust: 0.8
db:	JVNDB	id:	JVNDB-2011-003479	Trust: 0.8
db:	CNVD	id:	CNVD-2011-5303	Trust: 0.6
db:	CNVD	id:	CNVD-2011-5304	Trust: 0.6
db:	CNVD	id:	CNVD-2011-5302	Trust: 0.6
db:	CNNVD	id:	CNNVD-201112-231	Trust: 0.6
db:	IVD	id:	4D061C68-2354-11E6-ABEF-000C29C66E3D	Trust: 0.2
db:	SECUNIA	id:	47019	Trust: 0.2
db:	VULHUB	id:	VHN-52806	Trust: 0.1
db:	PACKETSTORM	id:	107894	Trust: 0.1

sources: IVD: 4d061c68-2354-11e6-abef-000c29c66e3d // CNVD: CNVD-2011-5473 // CNVD: CNVD-2011-5303 // CNVD: CNVD-2011-5304 // CNVD: CNVD-2011-5302 // VULHUB: VHN-52806 // BID: 51158 // JVNDB: JVNDB-2011-003479 // PACKETSTORM: 107894 // CNNVD: CNNVD-201112-231 // CNNVD: CNNVD-201112-346 // NVD: CVE-2011-4861

REFERENCES

url:	http://reversemode.com/index.php?option=com_content&task=view&id=80&itemid=1	Trust: 2.0
url:	http://www.us-cert.gov/control_systems/pdf/ics-alert-11-346-01.pdfhttp	Trust: 1.8
url:	http://www.us-cert.gov/control_systems/pdf/ics-alert-11-346-01.pdf	Trust: 1.2
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2011-4861	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2011-4861	Trust: 0.8
url:	http://www.securityfocus.com/bid/51158http	Trust: 0.6
url:	http://www.securityfocus.com/bid/51046	Trust: 0.6
url:	http://www.schneider-electric.com/site/home/index.cfm/ww/?selectcountry=true	Trust: 0.3
url:	http://reversemode.com/index.php?option=com_content&task=view&id=80&itemid=1	Trust: 0.1
url:	https://ca.secunia.com/?page=viewadvisory&vuln_id=47019	Trust: 0.1
url:	http://secunia.com/advisories/47019/	Trust: 0.1
url:	http://secunia.com/company/jobs/	Trust: 0.1
url:	http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/	Trust: 0.1
url:	http://secunia.com/vulnerability_intelligence/	Trust: 0.1
url:	http://secunia.com/advisories/secunia_security_advisories/	Trust: 0.1
url:	http://secunia.com/vulnerability_scanning/personal/	Trust: 0.1
url:	http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org	Trust: 0.1
url:	http://secunia.com/advisories/47019/#comments	Trust: 0.1
url:	http://secunia.com/advisories/about_secunia_advisories/	Trust: 0.1

sources: CNVD: CNVD-2011-5473 // CNVD: CNVD-2011-5303 // CNVD: CNVD-2011-5304 // CNVD: CNVD-2011-5302 // VULHUB: VHN-52806 // BID: 51158 // JVNDB: JVNDB-2011-003479 // PACKETSTORM: 107894 // CNNVD: CNNVD-201112-231 // CNNVD: CNNVD-201112-346 // NVD: CVE-2011-4861

CREDITS

Rub?n Santamarta

Trust: 0.6

sources: CNNVD: CNNVD-201112-231

SOURCES

db:	IVD	id:	4d061c68-2354-11e6-abef-000c29c66e3d
db:	CNVD	id:	CNVD-2011-5473
db:	CNVD	id:	CNVD-2011-5303
db:	CNVD	id:	CNVD-2011-5304
db:	CNVD	id:	CNVD-2011-5302
db:	VULHUB	id:	VHN-52806
db:	BID	id:	51158
db:	JVNDB	id:	JVNDB-2011-003479
db:	PACKETSTORM	id:	107894
db:	CNNVD	id:	CNNVD-201112-231
db:	CNNVD	id:	CNNVD-201112-346
db:	NVD	id:	CVE-2011-4861

LAST UPDATE DATE

2024-08-14T13:49:01.078000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2011-5473	date:	2011-12-29T00:00:00
db:	CNVD	id:	CNVD-2011-5303	date:	2011-12-15T00:00:00
db:	CNVD	id:	CNVD-2011-5304	date:	2011-12-15T00:00:00
db:	CNVD	id:	CNVD-2011-5302	date:	2011-12-15T00:00:00
db:	VULHUB	id:	VHN-52806	date:	2011-12-21T00:00:00
db:	BID	id:	51158	date:	2011-12-21T00:00:00
db:	JVNDB	id:	JVNDB-2011-003479	date:	2011-12-21T00:00:00
db:	CNNVD	id:	CNNVD-201112-231	date:	2011-12-15T00:00:00
db:	CNNVD	id:	CNNVD-201112-346	date:	2011-12-19T00:00:00
db:	NVD	id:	CVE-2011-4861	date:	2011-12-21T05:00:00

SOURCES RELEASE DATE

db:	IVD	id:	4d061c68-2354-11e6-abef-000c29c66e3d	date:	2011-12-29T00:00:00
db:	CNVD	id:	CNVD-2011-5473	date:	2011-12-29T00:00:00
db:	CNVD	id:	CNVD-2011-5303	date:	2011-12-15T00:00:00
db:	CNVD	id:	CNVD-2011-5304	date:	2011-12-15T00:00:00
db:	CNVD	id:	CNVD-2011-5302	date:	2011-12-15T00:00:00
db:	VULHUB	id:	VHN-52806	date:	2011-12-17T00:00:00
db:	BID	id:	51158	date:	2011-12-21T00:00:00
db:	JVNDB	id:	JVNDB-2011-003479	date:	2011-12-21T00:00:00
db:	PACKETSTORM	id:	107894	date:	2011-12-15T08:07:24
db:	CNNVD	id:	CNNVD-201112-231	date:	1900-01-01T00:00:00
db:	CNNVD	id:	CNNVD-201112-346	date:	2011-12-19T00:00:00
db:	NVD	id:	CVE-2011-4861	date:	2011-12-17T11:55:12.370