Schneider Electric Control Tools ‘Vulnerable To Attack’

The control panels can be knocked offline by remote attackers using an unpatched bug, say security experts

Industrial control tools from Schneider Electric can be disabled by Internet-based hackers using software flaws that remains unfixed, researchers have warned.

Computer security firm Critifence said either of two bugs, which it labelled “PanelShock”, could allow an attacker to overload a line of display panels made by the French industrial control systems giant and effectively take it offline.

HSBC

Display panels vulnerable

The bugs can be exploited using a single computer and don’t require an attacker to flood devices with large amounts of data, Critifence said in an advisory.

The Magelis Advanced HMI Panels product line, used by engineers and operators to monitor and manage industrial processes, include a feature called Vijeo Web Gate Server that allows them to be accessed via a web browser or other HTTP client.

Both of the two bugs in the Web Gate service involve an improper delay in timing out requests from remote hosts, Critifence said. In both cases the delay is long enough to allow attackers to carry out a denial of service.

The bug is particularly dangerous because it could cause operator errors, according to the advisory.

No fix available

“A malicious attacker can ‘freeze’ the panel remotely and disconnect the HMI panel device from the SCADA network… which can cause the supervisor or operator to perform wrong actions, which may further damage the factory or plant operation”, the advisory stated.

Supervisory control and data acquisition (SCADA) systems allow industrial devices to be monitored and controlled remotely. Security experts have long warned of the potential risks as critical infrastructure is linked to such networks.

Schneider acknowledged it was aware of the flaws, has issued an alert to users and is working with researchers on a fix, but doesn’t expect it to be available until March of next year.

“While under attack via a malicious HTTP request, the human-machine interface (HMI) may be rendered unable to manage communications due to high resource consumption,” the company stated. “This can lead to a loss of communications with devices such as Programmable Logic Controllers (PLCs), and require reboot of the HMI in order to recover.”

It noted the bug can only be exploited if the Web Gate Server feature is activated, and it is disabled by default.

Remote code execution bug

While awaiting a patch users can protect themselves by ensuring the feature is disabled if it isn’t required, the company said.

If companies need to use the web access feature they can mitigate the risk with measures such as firewalls or disabling acess to unknown computers, Critifence said.

The disclosure follows that of a separate bug last week in Unity Pro, Schneider’s industrial controller management software.

That bug allows an attacker to execute malicious code on a system, and affects all versions of Unity Pro, but was fixed in the most recent release, v11.1, according to an advisory from industrial control security firm Indegy.

Are you a security pro? Try our quiz!