That “don't use hard-coded passwords” infosec rule? Someone needs to use a needle to write it on the corner of Schneider Electric's developers' eyes so they don't forget it.
Yes, it's happened again, this time on the SCADA vendor's Schneider Modicon TM221CE16R, Firmware 22.214.171.124 – and without new firmware, users are stuck, because they can't change the password.
It's a real Friday-afternoon-special: someone encrypted the user/password XML file with the fixed key “SoMachineBasicSoMachineBasicSoMa”.
That means an attacker can open the control environment (SoMachine Basic 1.4 SP1), get and decrypt the user file, and take over.
As the discoverers, Simon Heming, Maik Brüggemann, Hendrik Schwartke, Ralf Spenneberg of Germany's Open Source Security note, they went public because Schneider didn't respond to their contact.
The same group dropped another treat, again from Schneider, again on the TM221CE16R, Firmware 126.96.36.199 hardware: the password protecting its applications can be retrieved remotely without authentication.
A user need only send the command below over Modbus using TCP Port 502:
echo -n -e '\x00\x01\x00\x00\x00\x05\x01\x5a\x00\x03\x00' | nc IP 502
“After that the retrieved password can be entered in SoMachine Basic to download, modify and subsequently upload again any desired application”, they write.
America's ICS-CERT classifies Schneider Modicon kit as falling in the “Critical Manufacturing, Food and Agriculture, Water and Wastewater Systems” critical infrastructure sectors – something The Register thinks should make it more careful about putting passwords inside its firmware.