"Security researchers at CRITIFENCE Critical Infrastructure and SCADA/ICS Cyber Threats Research Group publicly announced this morning (November 1, 2016) about PanelShock, a major cyber security vulnerabilities affecting one of the world’s largest manufacturers of SCADA and Industrial Control Systems, Schneider Electric".
About PanelShockPanelShock vulnerabilities (ICSA-16-308-02) disclosed improper implementation of different HTTP request methods CVE-2016-8367 (SVE-82003201) and improper implementation of resource consumption management mechanism CVE-2016-8374 (SVE-82003202), in the Web Gate web service of Magelis Advanced HMI panel’s series. By exploiting PanelShock vulnerabilities, a malicious attacker can “freeze” the panel remotely and disconnect the HMI panel device from the SCADA network and prevent the panel from communicate with PLCs and other devices, which can cause the supervisor or operator to perform wrong actions, which may further damage the factory or plant operation.
PanelShock zero-day vulnerabilities discovered in April 2016 by Eran Goldstein, CTO and Founder of CRITIFENCE.
ImpactSuccessful exploitation of these vulnerabilities could result in a denial of service for the affected devices. Impact to individual organizations depends on many factors that are unique to each organization. ICS-CERT recommends that organizations evaluate the impact of these vulnerabilities based on their operational environment, architecture, and product implementation.
BackgroundSchneider Electric is a European-based company that maintains offices in 190 countries worldwide. The affected products, the Magelis HMI Advanced panel series and Vijeo Web Gate Server developed by Schneider Electric allow process engineers and operators to monitor and manage industrial facilities via web browsers or other HTTP clients.
Affected ProductsThe following Schneider Electric Magelis Advanced HMI Panels are affected:
- Magelis GTO Advanced Optimum panels
- Magelis GTU Universal panel
- Magelis STO & STU Small panels
- Magelis XBT GH Advanced hand-held Panel
- Magelis XBT GK Advanced Touchscreen Panels with Keyboard
- Magelis XBT GT Advanced Touchscreen Panels
- Magelis XBT GTW Advanced Open Touchscreen Panels (Windows XPe)
Vulnerability OverviewIMPROPER IMPLEMENTATION OF HTTP GET REQUEST (CVE-2016-8367 / SVE-82003201)
The timeout value for closing an HTTP client's requests in the Web Gate service is too long and allows a malicious attacker to open multiple connections to the targeted web server and keep them open for as long as possible by continuously sending partial HTTP requests, none of which are ever completed. The attacked server opens more and more connections, waiting for each of the attack requests to be completed, which enables a single computer to take down the Web Gate Server.
IMPROPER IMPLEMENTATION OF HTTP chunked Transfer-Encoding REQUEST (CVE-2016-8374 / SVE-82003202)
The timeout value between chunks for closing an HTTP chunked encoding connection in the Web Gate service is too long and allows a malicious attacker to keep the connection open by exploiting the maximum possible interval between chunks and by using the Content-Length header and buffer the whole result set before calculating the total content size, which keeps the connection alive and enables a single computer to take down the Web Gate Server.
PanelShock Attack PoC VideoThe PanelShock attack PoC (Proof of Concept) Video demonstrates how a low skill level malicious attacker can disable the Web Gate server in Schneider Electric Magelis Advanced HMI panels and to take down a Magelis HMI Panel using a single machine.
MitigationFollowing a disclosure, Schneider Electric have confirmed that the Magelis HMI Series products are vulnerable to the findings presented by CRITIFENCE and released an Important Security Bulletin (SEVD-2016-302-01).
Once acknowledged the existence of the vulnerability, CRITIFENCE with a support from ICS-CERT (Department of Homeland Security, DHS) worked in collaboration with Schneider Electric to mitigate and remediate the vulnerabilities in order to create security updates for all Schneider Electric Magelis Advanced HMI Panel series.
ICS-CERT released an advisory (ICSA-16-308-02) for PanelShock vulnerabilities.
Schneider Electric are already working on a software update for the affected types of HMI panels.
PanelShockVCT (Vulnerability Check Tool)As part of the disclosure CRITIFENCE Critical Infrastructure and SCADA/ICS Cyber Threats Research Group have released a free tool to actively check for specific PanelShock vulnerabilities - CRITIFENCE PanelShockVCT (Vulnerability Check Tool)
Thanks and CreditsCRITIFENCE would like to thank the following persons and organizations
for the collaboration and their great work during the disclosure and remediation process:
- Mr. George Fidas from Schneider Electric
- ICS-CERT (Department of Homeland Security, DHS)
- Mr. Rami Ben-Efraim, Head of Government, Defense and Critical Infrastructure Sectors at Check Point Software Technologies Ltd.
- Mr. Oded Vanunu, Head of Products Vulnerability Research at Check Point Software Technologies Ltd.
More information about PanelShock
- ICS-CERT Advisory: ICSA-16-308-02
- Schneider Electric: Important Security Bulletin (SEVD-2016-302-01)
- MITRE CVE: CVE-2016-8374
- MITRE CVE: CVE-2016-8367
- theregister | Freeze ...SCADA! Flaw lets hackers peel away Human Machine Interface
- securityaffairs | PanelShock 0-day Vulnerability Puts Thousands of Schneider Electric HMI Panels at Risk
- scmagazineuk | DoS vulnerabilities found in ICS equipment
- onthewire | Pair of Bugs Can Disconnect Schneider HMI Gear From SCADA Networks
- threatpost | Mitigations Available for PanelShock Vulnerabilities in Schneider Electric Magelis HMIs
- drivesncontrols | Cyber-flaws in Schneider HMIs could allow attacks