Are vulnerabilities of this nature common place, or one offs?
Are vulnerabilities of this nature common place, or one offs?

Further vulnerabilities have been discovered in Schneider Electric industrial control systems kit by researchers from CheckPoint Software and Critifence who have dubbed them “PanelShock”.

The Magelis human machine interface (HMI), made by Schneider Electric, has been found to have system crashing flaws, that “can lead to a  denial of service due to incomplete error management of HTTP requests in the Web Gate Server.”

Schneider Electric has recognised the vulnerabilities, and released a security advisory which details the attack further saying that, “while under attack via a malicious HTTP request, the HMI may be rendered unable to manage communications due to high resource consumption. This can lead to a loss of communications with devices such as Programmable Logic Controllers (PLCs), and require reboot of the HMI in order to recover.”

Exploitation of this vulnerability requires the Web Gate Server to be activated. By default, this function is disabled. The CVSS score of 7.5 has been given to the vulnerability.

To minimise potential exposure, users of all affected versions are advised to:
  • Minimise network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.

  • Minimise potential attack surface by leaving the Web Gate Server set to its default disabled state if it is not needed.

  • Place control system networks and devices behind firewalls (such as the ConneXium Tofino Firewalls), and isolate them from the business network.

  • Limit traffic on the local network with managed switches (such as ConneXium managed switches).

  • Where possible, avoid Wi-Fi capabilities.

  • When Wi-Fi is essential, use only secure communications (such as WPA2 encryption).

  • Do not grant access to unknown computers.

  • When remote access is essential, use secure methods such as Virtual Private Networks.

  • Ensure the remote access solution(s), as well as the remote computer(s) are kept up-to-date with the latest security patches.

According to Schneider, devices using Magelis HMI are still vulnerable to the PanelShock attack, the company said, “current owners of the following affected products will be able to upgrade Vijeo Designer to a new software offer with new run time for their units in March 2017”.

The news comes as another group of researchers at cyber-security firm Inedgy had found a remote code execution vulnerability in Schneider Electric's flagship industrial controller management software, Unity Pro. The vulnerability allows hackers to remotely execute code onto industrial control systems networks.

Writing on his company's website, Mille Gandelsman, CTO of Indegy, called the vulnerability a “major concern” and urged anyone running Unity Pro software to update to the latest version. Unity Pro, which runs on Window PCs, is used for managing and programing industrial control systems.

Schneider Electric has said that all versions of Unity Pro, including the latest, version 11.1, are impacted. Indegy has highlighted that the vulnerability does not require a compromise of the controllers in an ICS network because, “the industrial controllers lack authentication and industrial communications protocols lack encryption.”