A cybersecurity startup has disclosed a couple of unpatched denial-of-service (DoS) vulnerabilities affecting a human-machine interface (HMI) product from Schneider Electric.
CRITIFENCE, a company that specializes in security solutions for industrial control systems (ICS), reported on Tuesday that Eran Goldstein, its CTO and founder, in April discovered two serious flaws in Schneider Electric Magelis HMI panels.
The affected devices allow operators and process engineers to monitor and manage industrial facilities. Users can configure the products with the Vijeo Designer software.
The security holes, dubbed “PanelShock” and tracked as CVE-2016-8367 and CVE-2016-8374, allow attackers to cause the devices to enter a DoS condition by sending specially crafted HTTP requests. According to the security firm, the issues are caused by improper implementation of HTTP request methods and resource consumption management mechanisms.
“The use cases identified demonstrate the ability to generate a freeze condition on the HMI, that can lead to a denial of service due to incomplete error management of HTTP requests in the Web Gate Server,” Schneider Electric said in an advisory. “While under attack via a malicious HTTP request, the HMI may be rendered unable to manage communications due to high resource consumption. This can lead to a loss of communication s with devices such as Programmable Logic Controllers (PLCs), and require reboot of the HMI in order to recover.”
The PanelShock vulnerabilities affect Magelis GTO, GTU, STO, STU and XBT panels. Schneider Electric has yet to release patches, but it has provided recommendations on how to mitigate possible attacks. The energy management giant has classified the flaws as high severity, but pointed out that the attacks described by CRITIFENCE only work if the Web Gate Server, which is disabled by default, is active.
The vendor has informed users of Magelis GTO Advanced Optimum and GTU Universal panels that a new version of the Vijeo Designer software, one that will not include these vulnerabilities, will be released in March 2017.
The flaws can be exploited remotely even by an attacker with low skill and the publicly available information is sufficient for developing an exploit. CRITIFENCE has published a free tool that allows users to check their devices for these types of vulnerabilities and a video that shows how an attack works:
Last week, at SecurityWeek’s 2016 ICS Cyber Security Conference, researchers from Indegy and CyberX reported finding some serious vulnerabilities in Schneider’s Unity Pro software platform and its ConneXium industrial firewalls.
Related: ICS-CERT Issues Alerts After Expert Discloses Power Meter Flaws
Related: U.S. Has Most Internet Connected Industrial Control Systems

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- In Other News: AI Regulation, Layoffs, US Aerospace Attacks, Post-Quantum Encryption
- Evidence Suggests Ransomware Group Knew About MOVEit Zero-Day Since 2021
- Vulnerabilities in Honda eCommerce Platform Exposed Customer, Dealer Data
- Barracuda Urges Customers to Replace Hacked Email Security Appliances
- Google Patches Third Chrome Zero-Day of 2023
- ChatGPT Hallucinations Can Be Exploited to Distribute Malicious Code Packages
- AntChain, Intel Create New Privacy-Preserving Computing Platform for AI Training
- Several Major Organizations Confirm Being Impacted by MOVEit Attack
Latest News
- In Other News: AI Regulation, Layoffs, US Aerospace Attacks, Post-Quantum Encryption
- Blackpoint Raises $190 Million to Help MSPs Combat Cyber Threats
- Google Introduces SAIF, a Framework for Secure AI Development and Use
- ‘Asylum Ambuscade’ Group Hit Thousands in Cybercrime, Espionage Campaigns
- Evidence Suggests Ransomware Group Knew About MOVEit Zero-Day Since 2021
- SaaS Ransomware Attack Hit Sharepoint Online Without Using a Compromised Endpoint
- Google Cloud Now Offering $1 Million Cryptomining Protection
- Democrats and Republicans Are Skeptical of US Spying Practices, an AP-NORC Poll Finds
