November 1, 2016 | Written by: Eran Goldstein

#CRITIFENCE, #Cyber, #Security, #cybersecurity, #SCADA, #ICS, #OT, #IioT, #CI, #Critical, #Infrastructure, #criticalinfrastructure

Schneider Electric Magelis HMI Advanced Panel (0-Day Vulnerabilities)

"Security researchers at CRITIFENCE Critical Infrastructure and SCADA/ICS Cyber Threats Research Group publicly announced this morning (November 1, 2016) about PanelShock, a major cyber security vulnerabilities affecting one of the world’s largest manufacturers of SCADA and Industrial Control Systems, Schneider Electric".

About PanelShock

PanelShock vulnerabilities (ICSA-16-308-02) disclosed improper implementation of different HTTP request methods CVE-2016-8367 (SVE-82003201) and improper implementation of resource consumption management mechanism CVE-2016-8374 (SVE-82003202), in the Web Gate web service of Magelis Advanced HMI panel’s series. By exploiting PanelShock vulnerabilities, a malicious attacker can “freeze” the panel remotely and disconnect the HMI panel device from the SCADA network and prevent the panel from communicate with PLCs and other devices, which can cause the supervisor or operator to perform wrong actions, which may further damage the factory or plant operation.


Successful exploitation of these vulnerabilities could result in a denial of service for the affected devices. Impact to individual organizations depends on many factors that are unique to each organization. ICS-CERT recommends that organizations evaluate the impact of these vulnerabilities based on their operational environment, architecture, and product implementation.


Schneider Electric is a European-based company that maintains offices in 190 countries worldwide. The affected products, the Magelis HMI Advanced panel series and Vijeo Web Gate Server developed by Schneider Electric allow process engineers and operators to monitor and manage industrial facilities via web browsers or other HTTP clients.

Affected Products

The following Schneider Electric Magelis Advanced HMI Panels are affected:
  • Magelis GTO Advanced Optimum panels
  • Magelis GTU Universal panel
  • Magelis STO & STU Small panels
  • Magelis XBT GH Advanced hand-held Panel
  • Magelis XBT GK Advanced Touchscreen Panels with Keyboard
  • Magelis XBT GT Advanced Touchscreen Panels
  • Magelis XBT GTW Advanced Open Touchscreen Panels (Windows XPe)

Vulnerability Overview


The timeout value for closing an HTTP client's requests in the Web Gate service is too long and allows a malicious attacker to open multiple connections to the targeted web server and keep them open for as long as possible by continuously sending partial HTTP requests, none of which are ever completed. The attacked server opens more and more connections, waiting for each of the attack requests to be completed, which enables a single computer to take down the Web Gate Server.

IMPROPER IMPLEMENTATION OF HTTP chunked Transfer-Encoding REQUEST (CVE-2016-8374 / SVE-82003202)

The timeout value between chunks for closing an HTTP chunked encoding connection in the Web Gate service is too long and allows a malicious attacker to keep the connection open by exploiting the maximum possible interval between chunks and by using the Content-Length header and buffer the whole result set before calculating the total content size, which keeps the connection alive and enables a single computer to take down the Web Gate Server.


Following a disclosure, Schneider Electric have confirmed that the Magelis HMI Series products are vulnerable to the findings presented by CRITIFENCE and released an Important Security Bulletin (SEVD-2016-302-01).

Once acknowledged the existence of the vulnerability, CRITIFENCE with a support from ICS-CERT (Department of Homeland Security, DHS) worked in collaboration with Schneider Electric to mitigate and remediate the vulnerabilities in order to create security updates for all Schneider Electric Magelis Advanced HMI Panel series.

ICS-CERT released an advisory (ICSA-16-308-02) for PanelShock vulnerabilities.

Schneider Electric are already working on a software update for the affected types of HMI panels.

More information about PanelShock

From the news

For more information about CRITIFENCE® Cyber Security Solution for Critical Infrastructure,
SCADA and Industrial Control Systems and the SCADADome solution, download SCADADome Solution White Paper.