14 DAY TRIAL // Back in December 2011, independent security researcher Rubén Santamarta published the details of several vulnerabilities he identified in Schneider Electric’s Quantum Ethernet Module, a module that allows a Quantum Programmable Logic Controller (PLC) to communicate with devices over an Ethernet network.
The impacted systems are mainly utilized in manufacturing, energy and infrastructure applications.
The expert discovered that the module contained hard-coded credentials that could be utilized to access the FTP service, the Windriver Debug port and the Telnet port. The security holes are remotely exploitable and even an attacker with low skill level can abuse them.
At the time, Santamarta said he reported his findings to ICS-CERT and that Schneider was working on a patch.
However, according to an ICS-CERT advisory, Schneider Electric has only now managed to patch “a portion” of the reported vulnerabilities.
The patches are available on Schneider Electric’s website.