CVE-2016-8367

moderate-risk

Published 2017-02-13

An issue was discovered in Schneider Electric Magelis HMI Magelis GTO Advanced Optimum Panels, all versions, Magelis GTU Universal Panel, all versions, Magelis STO5xx and STU Small panels, all versions, Magelis XBT GH Advanced Hand-held Panels, all versions, Magelis XBT GK Advanced Touchscreen Panels with Keyboard, all versions, Magelis XBT GT Advanced Touchscreen Panels, all versions, and Magelis XBT GTW Advanced Open Touchscreen Panels (Windows XPe). An attacker can open multiple connections to a targeted web server and keep connections open preventing new connections from being made, rendering the web server unavailable during an attack.

Do I need to act?

13.7% chance of exploitation in next 30 days

EPSS score — higher than 86% of all CVEs

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 5.3/10 Medium

NETWORK / LOW complexity

Affected Products (8)

Magelis Sto5 Small Panel Firmware

Magelis Xbt Gh Advanced Hand-Held Panel Firmware

Magelis Xbt Gk Advanced Touchscreen Panel With Keyboard Firmware

Magelis Gtu Universal Panel Firmware

Magelis Gto Advanced Optimum Panel Firmware

Magelis Stu Small Panel Firmware

Magelis Xbt Gt Advanced Touchscreen Panel Firmware

Magelis Xbt Gtw Advanced Open Touchscreen Panel Firmware

Affected Vendors

Schneider-Electric

References (4)

Third Party Advisory http://www.securityfocus.com/bid/94093

Third Party Advisory https://ics-cert.us-cert.gov/advisories/ICSA-16-308-02

Third Party Advisory http://www.securityfocus.com/bid/94093

Third Party Advisory https://ics-cert.us-cert.gov/advisories/ICSA-16-308-02

/ 100

moderate-risk

Severity 21/34 · High

Exploitability 12/34 · Low

Exposure 14/34 · Moderate