Researchers have discovered a pair of serious vulnerabilities in several ICS products made by Schneider Electric that can allow an attacker to freeze the control panel of vulnerable devices and force them to disconnect from a SCADA network.
The vulnerabilities affect seven different Magelis products from Schneider, which are used for remote management and monitoring of ICS devices over the web. Researchers at Critifence discovered the vulnerabilities and reported them to Schneider, but there are no patches available at the moment. Schneider said that some of the products will have software upgrades available in March.
The two flaws that Critifence discovered are classified as denial-of-service conditions, but because they can disrupt SCADA and ICS network functionality, they’re considered serious.
“The timeout value for closing an HTTP client’s requests in the Web Gate service is too long and allows a malicious attacker to open multiple connections to the targeted web server and keep them open for as long as possible by continuously sending partial HTTP requests, none of which are ever completed. The attacked server opens more and more connections, waiting for each of the attack requests to be completed, which enables a single computer to take down the Web Gate Server,” the advisory from Critifence says.
The second vulnerability is similar, but is caused by a different kind of HTTP request.
“The timeout value between chunks for closing an HTTP chunked encoding connection in the Web Gate service is too long and allows a malicious attacker to keep the connection open by exploiting the maximum possible interval between chunks and by using the Content-Length header and buffer the whole result set before calculating the total content size, which keeps the connection alive and enables a single computer to take down the Web Gate Server,” the advisory says.
The researchers have named the bugs PanelShock, and Schneider said in its advisory that it is working on updates to address the vulnerabilities. One key mitigation for the bugs is that the Web Gate Server, which needs to be enabled for the attack to succeed, is disabled by default.
“The use cases identified demonstrate the ability to generate a freeze condition on the HMI, that can lead to a denial of service due to incomplete error management of HTTP requests in the Web Gate Server. While under attack via a malicious HTTP request, the HMI may be rendered unable to manage communications due to high resource consumption. This can lead to a loss of communications with devices such as Programmable Logic Controllers (PLCs), and require reboot of the HMI in order to recover,” the Schneider advisory says.
Image: Seth Stoll, CC By-Sa 2.0 license.