Tenable found multiple vulnerabilities in the Schneider Electric Quantum Modicon 140 NOC 771 01 Ethernet Module.
CVE-2018-7809: Unauthenticated Password Reset
An unauthenticated remote attacker can delete the existing username and password for the HTTP server by visiting the following URL:
This also has the side affect of resetting the web server username and password to the default USER/USER.
CVE-2018-7810: Reflected XSS
CVE-2018-7811: Unauthenticated Password Change
The web server allows an authenticated remote user to change their password via the /secure/embedded/builtin endpoint. The web server also lets an unauthenticated remote attacker change user's passwords via the /unsecure/embedded/builtin endpoint. An example URL that changes the admin user's password to evilpass follows:
CVE-2018-7830: Unauthenticated Remote Denial of Service
A denial of service occurs when an unauthenticated remote attacker sends an HTTP request with no "\r\n\r\n" terminator. This will render the web server useless for ~1 minute The following is a one line proof of concept:
echo -e "GET /index.htm HTTP/1.1\r\nHost: 192.168.248.30" | nc 192.168.248.30 80
CVE-2018-7831: Cross-site request forgery
The password change functionality is implemented with an HTTP GET request in which the new password is specified. An anti-forgery token is not required to validate the request. Furthermore, the current password does not need to be specified in order to complete a password change. An attacker can forge a link to be sent to an authenticated victim. Once clicked, the password will be changed. Example URL:
Tenable reported seven vulnerabilities to Schneider Electric. Schneider indicated one of our vulnerabilities (default accounts) was a duplicate and the other (modbus denial of service) was not a vulnerability. However, we've decided to document them here.
Default FTP Accounts
We found a handful of default FTP accounts. Some passwords we used required use of a VxHash collision disclosed by H.D. Moore in 2010.
Modbus Denial of Service
Modbus is accessible over TCP port 502. Tenable found that the following unauthenticated remote Modbus message will completely shutdown the Ethernet module:
echo -ne "\x0\xa8\x0\x0\x0\x5\x0\x5a\x0\x7\x0" | nc 192.168.238.30 502