Security Firm Discloses Unpatched Flaws in Schneider HMI Product

A cybersecurity startup has disclosed a couple of unpatched denial-of-service (DoS) vulnerabilities affecting a human-machine interface (HMI) product from Schneider Electric.

CRITIFENCE, a company that specializes in security solutions for industrial control systems (ICS), reported on Tuesday that Eran Goldstein, its CTO and founder, in April discovered two serious flaws in Schneider Electric Magelis HMI panels.

The affected devices allow operators and process engineers to monitor and manage industrial facilities. Users can configure the products with the Vijeo Designer software.

The security holes, dubbed “PanelShock” and tracked as CVE-2016-8367 and CVE-2016-8374, allow attackers to cause the devices to enter a DoS condition by sending specially crafted HTTP requests. According to the security firm, the issues are caused by improper implementation of HTTP request methods and resource consumption management mechanisms.

“The use cases identified demonstrate the ability to generate a freeze condition on the HMI, that can lead to a denial of service due to incomplete error management of HTTP requests in the Web Gate Server,” Schneider Electric said in an advisory. “While under attack via a malicious HTTP request, the HMI may be rendered unable to manage communications due to high resource consumption. This can lead to a loss of communication s with devices such as Programmable Logic Controllers (PLCs), and require reboot of the HMI in order to recover.”

The PanelShock vulnerabilities affect Magelis GTO, GTU, STO, STU and XBT panels. Schneider Electric has yet to release patches, but it has provided recommendations on how to mitigate possible attacks. The energy management giant has classified the flaws as high severity, but pointed out that the attacks described by CRITIFENCE only work if the Web Gate Server, which is disabled by default, is active.

The vendor has informed users of Magelis GTO Advanced Optimum and GTU Universal panels that a new version of the Vijeo Designer software, one that will not include these vulnerabilities, will be released in March 2017.

The flaws can be exploited remotely even by an attacker with low skill and the publicly available information is sufficient for developing an exploit. CRITIFENCE has published a free tool that allows users to check their devices for these types of vulnerabilities and a video that shows how an attack works:

Last week, at SecurityWeek’s 2016 ICS Cyber Security Conference, researchers from Indegy and CyberX reported finding some serious vulnerabilities in Schneider’s Unity Pro software platform and its ConneXium industrial firewalls.

Related: ICS-CERT Issues Alerts After Expert Discloses Power Meter Flaws

Related: U.S. Has Most Internet Connected Industrial Control Systems