Mitigations Available for PanelShock Vulnerabilities in Schneider Electric Magelis HMIs

Schneider Electric has recommended a number of mitigations to ward off two critical vulnerabilities in its Magelis HMI products.

One week after addressing a critical vulnerability in its industrial controller management software, Schneider Electric is in the midst of handling two more serious flaws in a number of its Magelis HMI products.

HMI is short for human machine interface, a graphical visualization of an industrial process that also includes a panel through which operators manipulate and manage processes.

An attacker exploiting either of the vulnerabilities could crash an industrial process, and in a critical industry such as water or energy, the impact on lives could be substantial.

The flaws, nicknamed PanelShock, were privately disclosed in April to Schneider Electric by an ICS and SCADA security startup called Critifence. CTO Eran Goldstein said in an advisory published Tuesday that the Magelis GTO, GTU, STO, STU, and XBT panels are affected by the vulnerabilities (CVE-2016-8367 and CVE-2016-8374). Schneider Electric has provided a number of temporary mitigations, but operators of the GTO Advanced Optimum panels and GTU Universal panel should not expect a patch until next March when product upgrades are scheduled to be available.

A request for comment from Schneider Electric was not returned in time for publication.

“By exploiting PanelShock vulnerabilities, a malicious attacker can ‘freeze’ the panel remotely and disconnect the HMI panel device from the SCADA network and prevent the panel from communicating with PLCs and other devices, which can cause the supervisor or operator to perform wrong actions, which may further damage the factory or plant operation,” Critifence said.

The vulnerabilities, Critifence said, are related to improper implementations of different HTTP request methods and a resource consumption management mechanism. Schneider Electric qualified that for an exploit to be successful, the Web Gate Server, which is off by default, must be enabled.

“The use cases identified demonstrate the ability to generate a freeze condition on the HMI, that can lead to a denial of service due to incomplete error management of HTTP requests in the Web Gate Server,” Schneider Electric said in its advisory. “While under attack via a malicious HTTP request, the HMI may be rendered unable to manage communications due to high resource consumption. This can lead to a loss of communications with devices such as Programmable Logic Controllers (PLCs), and require reboot of the HMI in order to recover.”

Schneider Electric recommends limiting exposure of the vulnerable HMIs to the Internet and disabling the Web Gate Server. Also, control system networks should be isolated from business networks and behind a firewall. If remote access is required, Schneider Electric recommends it be done through a VPN connection and that systems’ patching levels be current.

Last week, a critical flaw was disclosed in Schneider Electric Unity Pro software that allows for remote code execution. ICS security company Indegy found the flaw in the Unity Pro PLC Simultor, and Schneider Electric had patched it on Oct. 14. Any Unity Pro component exposed to the Internet was vulnerable, and attackers could take advantage of a lack of authentication to access the controller and exploit the issue.

Suggested articles