Schneider Electric Control Tools ‘Vulnerable To Attack’

Industrial control tools from Schneider Electric can be disabled by Internet-based hackers using software flaws that remains unfixed, researchers have warned.

Computer security firm Critifence said either of two bugs, which it labelled “PanelShock”, could allow an attacker to overload a line of display panels made by the French industrial control systems giant and effectively take it offline.

Display panels vulnerable

The bugs can be exploited using a single computer and don’t require an attacker to flood devices with large amounts of data, Critifence said in an advisory.

The Magelis Advanced HMI Panels product line, used by engineers and operators to monitor and manage industrial processes, include a feature called Vijeo Web Gate Server that allows them to be accessed via a web browser or other HTTP client.

Both of the two bugs in the Web Gate service involve an improper delay in timing out requests from remote hosts, Critifence said. In both cases the delay is long enough to allow attackers to carry out a denial of service.

The bug is particularly dangerous because it could cause operator errors, according to the advisory.

No fix available

“A malicious attacker can ‘freeze’ the panel remotely and disconnect the HMI panel device from the SCADA network… which can cause the supervisor or operator to perform wrong actions, which may further damage the factory or plant operation”, the advisory stated.

Supervisory control and data acquisition (SCADA) systems allow industrial devices to be monitored and controlled remotely. Security experts have long warned of the potential risks as critical infrastructure is linked to such networks.

Schneider acknowledged it was aware of the flaws, has issued an alert to users and is working with researchers on a fix, but doesn’t expect it to be available until March of next year.

“While under attack via a malicious HTTP request, the human-machine interface (HMI) may be rendered unable to manage communications due to high resource consumption,” the company stated. “This can lead to a loss of communications with devices such as Programmable Logic Controllers (PLCs), and require reboot of the HMI in order to recover.”

It noted the bug can only be exploited if the Web Gate Server feature is activated, and it is disabled by default.

Remote code execution bug

While awaiting a patch users can protect themselves by ensuring the feature is disabled if it isn’t required, the company said.

If companies need to use the web access feature they can mitigate the risk with measures such as firewalls or disabling acess to unknown computers, Critifence said.

The disclosure follows that of a separate bug last week in Unity Pro, Schneider’s industrial controller management software.

That bug allows an attacker to execute malicious code on a system, and affects all versions of Unity Pro, but was fixed in the most recent release, v11.1, according to an advisory from industrial control security firm Indegy.

Are you a security pro? Try our quiz!

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

Boeing Starliner Launches Successfully, On Route To International Space Station

Boeing's crewless space taxi, CST-100 Starliner, one step closer to NASA certification, as it enters…

2 days ago

Apple Accused By Union Of Staff Law Violations At NY Store

Staff at Apple's World Trade Centre store in New York are allegedly being questioned and…

2 days ago

Canada To Join Five Eyes 5G Ban On Huawei/ZTE

Making it official. Canada is to turn its unofficial ban on 5G kit from Huawei…

2 days ago

Twitter To Hide Tweets That Share False Information During A Crisis

Potentially risking Elon's wrath over free speech, Twitter says it will hide tweets spreading misinformation…

3 days ago

Boeing Starliner Test Flight Readied For Tonight

Third time the charm? Main rival to SpaceX's Dragon capsule, the embattled Boeing Starliner spacecraft,…

3 days ago

September 13 Slated For iPhone 14 Launch – Report

No surprise there. Apple is slated to launch the iPhone 14 on 13 September according…

3 days ago