Security researchers have discovered another serious vulnerability in industrial control kit from Schneider Electric.

System crashing flaws in the physical HMI (Human Machine Interface) hardware, dubbed PanelShock by security researchers, follow days after the earlier disclosure of security vulnerabilities in Schneider Electric’s Unity simulator (PLC programming framework).

The vulnerabilities were discovered by researchers from Check Point and cybersecurity startup Critifence.

“Vulnerabilities of the physical HMI (Human Machine Interface) hardware affect all the Magelis HMI series,” explained Eran Goldstein, CTO and co-founder of cybersecurity startup Critifence, “In addition our zero-day vulnerabilities doesn’t require any software to be installed on the target server.”

Vulnerabilities in the Web Gate web service of the Magelis Advanced HMI panels series create a means for an attacker to “freeze” the panel remotely and disconnect the HMI panel devices from the SCADA network. This prevents the panel from communicate with PLCs and other devices on an industrial control network.

The latest flaws are “totally different” to the recently disclosed bugs affecting Unity simulator, he added.

In response to queries from El Reg, Schneider Electric confirmed what it describes as a potential DDoS risk. The firm has pushed out an advisory to customers (extract below) offering mitigation advice. A more comprehensive fix is not due for four months until next March.

The use cases identified demonstrate the ability to generate a freeze condition on the HMI, that can lead to a denial of service due to incomplete error management of HTTP requests in the Web Gate Server. While under attack via a malicious HTTP request, the HMI may be rendered unable to manage communications due to high resource consumption. This can lead to a loss of communications with devices such as Programmable Logic Controllers (PLCs), and require reboot of the HMI in order to recover. Exploitation of this vulnerability requires the Web Gate Server to be activated. By default, this function is disabled.

The flaw rates a CVSS Score of 7.5 (hot as in a Madras but short of a Vindaloo in curry equivalency).

Goldstein explained that the vulnerability - which for now remains unresolved - is more serious than its designation as a DDoS risk might imply.

“The exact vulnerability is uncontrolled resource consumption (as documented in CVE-2016-8367 and CVE-2016-8374 by ICS-CERT and MITRE),” Goldstein told El Reg. “But despite the fact [that] we are talking about pretty simple DDoS attack, it is still dangerous in this case and can cause to a serious damage to the system.

“By freezing the HMI panel devices [it could] cause the supervisor or operator to perform [the] wrong actions, which may further damage the whole factory or plant operations,” he warned.

Magelis Advanced HMI Panel devices are still vulnerable to PanelShock attack as Schneider Electric advisory explains “current owners of the following affected products will be able to upgrade Vijeo Designer to a new software offer with new run time for their units in March 2017”. ®