Schneider Electric Magelis HMI Resource Consumption Vulnerabilities (Update B)

CVEs (2)

Remediations

• Schneider Electric has released a new version of Vijeo XD, Version 2.4.2, which does not integrate the web server feature containing the identified vulnerabilities.
• Schneider Electric’s Vijeo XD, Version 2.4.2, is available at the following location: (http://www.schneider-electric.com/en/download/range/62621-Vijeo%20XD/?docTypeGroup=3541958-Software%2FFirmware)
• Schneider Electric states that users who need the web server feature should instead apply the following measures to minimize potential exposure: Schneider Electric advises users with products having Runtime versions prior to Version 6.2 Service Pack 2 to upgrade to the latest available version. Current versions of the Runtime do not require a reboot for the HMI to recover from attack. Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet. Minimize potential attack surface by leaving the Web Gate Server set to its default disabled state if it is not needed. Place control system networks and devices behind firewalls, and isolate them from the business network. Limit traffic on the local network with managed switches. Where possible, avoid Wi-Fi capabilities
• but when Wi-Fi is essential, use only secure communications (such as WPA2 encryption). Do not grant access to unknown computers. When remote access is essential, use secure methods, such as Virtual Private Networks (VPNs)
• and ensure the remote access solution(s), as well as the remote computer(s), are kept up-to-date with the latest security patches.
• For further information on vulnerabilities or interim mitigations, please see Schneider Electric’s Security Notification - Magelis HMI, at the following location: (http://www.schneider-electric.com/en/download/document/SEVD-2016-302-01/)

Affected Vendors

Affected Products (7)