Monday, September 23, 2013

ICS-CERT Updates (again) Schneider Advisory

Today the DHS ICS-CERT published a second update for a series of Schneider Electric alerts and advisories dating back to December 2011 (12-12-11 Alert, 1-17-12 Advisory, 3-5-13 Alert, and 6-4-13 Advisory Update). The original alert was based upon a partially coordinated disclosure (we still haven’t heard the whole story on that) by Ruben Santamarta. The second alert was based upon an S4 Conference disclosure by Arthur Gervais.

This advisory update reports that:

• This advisory corrects and expands on the details in the specified alert and subsequent advisory updates;
• ICS-CERT has coordinated with Schneider Electric, and they have produced patches and firmware upgrades for Quantum and other affected products;
• Schneider Electric has created firmware upgrades that resolve the Telnet and Windriver debug port vulnerabilities for all affected products by removing the Telnet and Windriver services from these modules; and
• Schneider has also released a firmware upgrade to address the FTP service vulnerability by allowing the user to disable the FTP service.

The ICS-CERT advisory provides a link to the Schneider Electric download site but I cannot find a reasonably identifiable upgrade that deals with removing the Telnet and Windriver services from the Quantum Ethernet Module. Of course this fix was supposedly developed in 2011 for two of the affected modules so it may take some searching to find these upgrades. Hopefully someone in the Schneider Electric service department will be able to help owners locate the appropriate upgrades.

The advisory notes that the removal of these two services should not impact operations since they were included only for “advance troubleshooting use” and were not intended to be used by customers.

ICS-CERT left language in the updated advisory {pg 5} that would seem to indicate that additional mitigation measures are expected. It is not clear from reading the rest of the updated advisory if this was simply an editorial oversight or if additional work is actually expected from Schneider.

1 comment:

Oren said...

I could not agree more with you.

It is not enough that the solution proposed is coming two years too late, the software upgrade is not identifiable within the list.

I expected more from Schneider Electric as a leader in the ICS world.

/* Use this with templates/template-twocol.html */