Schneider Electric Magelis HMI Panels
Monitor7.4ICS-CERT ICSA-20-044-02Feb 13, 2020
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionRequired
Summary
Denial-of-service vulnerability in Schneider Electric Magelis HMI panels affecting HMIGTO, HMIGTU, HMISCU, XBTGC, HMIGTUX, HMIGXU, HMISTU, XBTGH, XBTGT, HMIGXO, and HMISTO series. All versions are affected. Successful exploitation could cause a denial-of-service condition, resulting in loss of human-machine interface availability and control system visibility.
What this means
What could happen
An attacker could remotely crash or hang the HMI panel, preventing operators from monitoring and controlling industrial processes. Loss of the HMI could interrupt plant operations if operators cannot see or interact with critical process parameters.
Who's at risk
Water utilities and municipal electric providers using Schneider Electric Magelis HMI panels for SCADA monitoring and control. Affected models include the HMIGTO, HMIGTU, HMISCU, XBTGC, HMIGTUX, HMIGXU, HMISTU, XBTGH, XBTGT, HMIGXO, and HMISTO series in energy and manufacturing sectors. Any facility relying on these HMI devices for process visibility and operator control is at risk.
How it could be exploited
An attacker with network access to the affected ports (44818/TCP, 502/TCP, 6000/TCP, 6002/TCP, 8080/TCP, 8014/TCP, or 6001/TCP) on the HMI panel could send a specially crafted request to trigger a denial-of-service condition, causing the panel to become unresponsive.
Prerequisites
- Network access to at least one of ports 44818/TCP, 502/TCP, 6000/TCP, 6002/TCP, 8080/TCP, 8014/TCP, or 6001/TCP on the HMI panel
- No authentication required
- No special user interaction required beyond sending the malicious request
Remotely exploitableNo authentication requiredLow complexity attackNo patch availableAffects operator interface—loss of visibility into critical processes
Exploitability
Low exploit probability (EPSS 0.3%)
Affected products (11)
11 EOL
ProductAffected VersionsFix Status
Magelis HMIGTO series: all versionsAll versionsNo fix (EOL)
Magelis HMIGTU series: all versionsAll versionsNo fix (EOL)
Magelis HMISCU series: all versionsAll versionsNo fix (EOL)
Magelis XBTGC series: all versionsAll versionsNo fix (EOL)
Magelis HMIGTUX series: all versionsAll versionsNo fix (EOL)
Magelis HMISTU series: all versionsAll versionsNo fix (EOL)
Magelis XBTGH series: all versionsAll versionsNo fix (EOL)
Magelis XBTGT series: all versionsAll versionsNo fix (EOL)
Remediation & Mitigation
0/5
Do now
0/1WORKAROUNDImplement network firewall rules to block unauthorized access to ports 44818/TCP, 502/TCP, 6000/TCP, 6002/TCP, 8080/TCP, 8014/TCP, and 6001/TCP on all Magelis HMI panels
Schedule — requires maintenance window
0/2Patching may require device reboot — plan for process interruption
HARDENINGRestrict network access to HMI panels to only authorized engineering workstations and control system devices; implement IP-based access lists if supported
HARDENINGIf remote access to the HMI is required, use a VPN with strong authentication; ensure the VPN software is kept up to date
Mitigations - no patch available
0/2The following products have reached End of Life with no planned fix: Magelis HMIGTO series: all versions, Magelis HMIGTU series: all versions, Magelis HMISCU series: all versions, Magelis XBTGC series: all versions, Magelis HMIGTUX series: all versions, Magelis HMISTU series: all versions, Magelis XBTGH series: all versions, Magelis XBTGT series: all versions, Magelis HMIGXO series: all versions, Magelis HMISTO series: all versions, Magelis HMIGXU series: all versions. Apply the following compensating controls:
HARDENINGSegment the HMI network from the business network using firewalls and access controls; do not expose HMI devices directly to the Internet
HARDENINGMonitor HMI panel availability and response times; alert on connection failures or timeouts that could indicate a denial-of-service attack
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/8c17795a-d119-402d-80d3-c7d16b0c452d