Schneider Electric Magelis HMI Panels

Plan PatchCVSS 7.4ICS-CERT ICSA-20-044-02Aug 13, 2019

Schneider ElectricEnergyManufacturing

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

Denial-of-service vulnerability in Schneider Electric Magelis HMI panels affecting HMIGTO, HMIGTU, HMISCU, XBTGC, HMIGTUX, HMIGXU, HMISTU, XBTGH, XBTGT, HMIGXO, and HMISTO series. All versions are affected. Successful exploitation could cause a denial-of-service condition, resulting in loss of human-machine interface availability and control system visibility.

What this means

What could happen

An attacker could remotely crash or hang the HMI panel, preventing operators from monitoring and controlling industrial processes. Loss of the HMI could interrupt plant operations if operators cannot see or interact with critical process parameters.

Who's at risk

Water utilities and municipal electric providers using Schneider Electric Magelis HMI panels for SCADA monitoring and control. Affected models include the HMIGTO, HMIGTU, HMISCU, XBTGC, HMIGTUX, HMIGXU, HMISTU, XBTGH, XBTGT, HMIGXO, and HMISTO series in energy and manufacturing sectors. Any facility relying on these HMI devices for process visibility and operator control is at risk.

How it could be exploited

An attacker with network access to the affected ports (44818/TCP, 502/TCP, 6000/TCP, 6002/TCP, 8080/TCP, 8014/TCP, or 6001/TCP) on the HMI panel could send a specially crafted request to trigger a denial-of-service condition, causing the panel to become unresponsive.

Prerequisites

Network access to at least one of ports 44818/TCP, 502/TCP, 6000/TCP, 6002/TCP, 8080/TCP, 8014/TCP, or 6001/TCP on the HMI panel
No authentication required
No special user interaction required beyond sending the malicious request

Remotely exploitableNo authentication requiredLow complexity attackNo patch availableAffects operator interface—loss of visibility into critical processes

Exploitability

Unlikely to be exploited — EPSS score 0.3%

Affected products (23)

4 with fix1 pending18 EOL

ProductAffected VersionsFix Status

Harmony/Magelis HMISTO series All versionsAll versionsNo fix (EOL)

Harmony/Magelis XBTGT series All versionsAll versionsNo fix (EOL)

Harmony/Magelis HMIGK series<6.2 SP116.2 SP11 Multi HotFix 4

Harmony/Magelis HMIGTO series<6.2 SP116.2 SP11 Multi HotFix 4

Harmony/Magelis) HMIGTU series<6.2 SP11No fix yet

Remediation & Mitigation

0/5

Do now

0/1

WORKAROUNDImplement network firewall rules to block unauthorized access to ports 44818/TCP, 502/TCP, 6000/TCP, 6002/TCP, 8080/TCP, 8014/TCP, and 6001/TCP on all Magelis HMI panels

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HARDENINGRestrict network access to HMI panels to only authorized engineering workstations and control system devices; implement IP-based access lists if supported

HARDENINGIf remote access to the HMI is required, use a VPN with strong authentication; ensure the VPN software is kept up to date

Mitigations - no patch available

0/2

The following products have reached End of Life with no planned fix: Harmony/Magelis HMISTO series All versions, Harmony/Magelis XBTGT series All versions, Harmony/Magelis HMIGXO series All versions, Harmony/Magelis HMIGXU series All versions, Harmony/Magelis HMISTU series All versions, Harmony/Magelis XBTGC series All versions, Harmony/Magelis XBTGH series All versions, Magelis HMIGTO series: all versions, Magelis HMIGTU series: all versions, Magelis HMISCU series: all versions, Magelis XBTGC series: all versions, Magelis HMIGTUX series: all versions, Magelis HMISTU series: all versions, Magelis XBTGH series: all versions, Magelis XBTGT series: all versions, Magelis HMIGXO series: all versions, Magelis HMISTO series: all versions, Magelis HMIGXU series: all versions. Apply the following compensating controls:

HARDENINGSegment the HMI network from the business network using firewalls and access controls; do not expose HMI devices directly to the Internet

HARDENINGMonitor HMI panel availability and response times; alert on connection failures or timeouts that could indicate a denial-of-service attack

CVEs (1)

CVE-2019-6833

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/8c17795a-d119-402d-80d3-c7d16b0c452d

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.