DoS vulnerabilities found in ICS equipment

News by Roi Perez

Further vulnerabilities have been discovered in Schneider Electric industrial control systems kit by researchers from CheckPoint Software and Critifence who have dubbed them "PanelShock".

Further vulnerabilities have been discovered in Schneider Electric industrial control systems kit by researchers from CheckPoint Software and Critifence who have dubbed them “PanelShock”.

The Magelis human machine interface (HMI), made by Schneider Electric, has been found to have system crashing flaws, that “can lead to a  denial of service due to incomplete error management of HTTP requests in the Web Gate Server.”

Schneider Electric has recognised the vulnerabilities, and released a security advisory which details the attack further saying that, “while under attack via a malicious HTTP request, the HMI may be rendered unable to manage communications due to high resource consumption. This can lead to a loss of communications with devices such as Programmable Logic Controllers (PLCs), and require reboot of the HMI in order to recover.”

Exploitation of this vulnerability requires the Web Gate Server to be activated. By default, this function is disabled. The CVSS score of 7.5 has been given to the vulnerability.

To minimise potential exposure, users of all affected versions are advised to:
  • Minimise network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.

  • Minimise potential attack surface by leaving the Web Gate Server set to its default disabled state if it is not needed.

  • Place control system networks and devices behind firewalls (such as the ConneXium Tofino Firewalls), and isolate them from the business network.

  • Limit traffic on the local network with managed switches (such as ConneXium managed switches).

  • Where possible, avoid Wi-Fi capabilities.

  • When Wi-Fi is essential, use only secure communications (such as WPA2 encryption).

  • Do not grant access to unknown computers.

  • When remote access is essential, use secure methods such as Virtual Private Networks.

  • Ensure the remote access solution(s), as well as the remote computer(s) are kept up-to-date with the latest security patches.

According to Schneider, devices using Magelis HMI are still vulnerable to the PanelShock attack, the company said, “current owners of the following affected products will be able to upgrade Vijeo Designer to a new software offer with new run time for their units in March 2017”.

The news comes as another group of researchers at cyber-security firm Inedgy had found a remote code execution vulnerability in Schneider Electric's flagship industrial controller management software, Unity Pro. The vulnerability allows hackers to remotely execute code onto industrial control systems networks.

Writing on his company's website, Mille Gandelsman, CTO of Indegy, called the vulnerability a “major concern” and urged anyone running Unity Pro software to update to the latest version. Unity Pro, which runs on Window PCs, is used for managing and programing industrial control systems.

Schneider Electric has said that all versions of Unity Pro, including the latest, version 11.1, are impacted. Indegy has highlighted that the vulnerability does not require a compromise of the controllers in an ICS network because, “the industrial controllers lack authentication and industrial communications protocols lack encryption.”

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming event 

Webcast: Understanding this year's biggest adversaries - and how to combat them 

Nation-state activity, versatile, slippery strategies and Big Game Hunting - the threats are real, dangerous and ever changing. 
Brought to you in partnership with Crowdstrike