Pepperl+Fuchs HMI devices vulnerable to Meltdown and Spectre Attacks

VDE-2018-002 (2018-02-14 08:50 UTC+0100)

Affected Vendors

PEPPERL+FUCHS

Affected Products

VisuNet RM*, VisuNet PC*, Box Thin Client BTC*

Summary

Critical vulnerabilities within several CPUs have been identified by security researchers. These hardware vulnerabilities allow programs to learn about the contents of a system's memory, using side-channel attacks. Potential attack vectors against these vulnerabilities have been published and dubbed Meltdown and Spectre. While programs are typically not permitted to read data from the OS kernel or from other programs, a malicious program can exploit Meltdown and Spectre to get hold of secrets stored in kernel memory or the memory of other programs executed on the same CPU. As a consequence, an exploit could allow attackers to get access to any sensitive data, including passwords or cryptographic keys.

Impact

Pepperl+Fuchs analysed their HMI products in respect of the Meltdown and Spectre attacks. To the vendor's current knowledge, their VisuNet and Box Thin Client HMI devices, based on an Intel® CPU, are potentially affected by these vulnerabilities.

In order to exploit these vulnerabilities, an attacker needs to be able to execute arbitrary code on the CPU of the target system.

Since Pepperl+Fuchs HMI devices are designed and intended to be used in Industrial Control System networks, typically these devices are segregated from enterprise networks and do not have direct internet access. Additionally, VisuNet HMI devices use a kiosk mode for normal operation. Within this mode access policies of thin client based VisuNet Remote Monitors and Box Thin Clients are restricted, such that users can only access predefined servers. This implies that outgoing connections and local software installations have to be configured by administrators. Hence, operators are restricted in a way such that they can only use the system as configured by administrators. If these steps are taken, this greatly reduces the risk of unwittingly accessing malicious content and executing unknown code, e.g. by accessing a website that was prepared by an attacker.

However, if a malicious website is accessed, the attacker could gain knowledge of all data in the memory of the HMI device, including passwords.

Solution

Pepperl+Fuchs recommend users of their HMI devices of the VisuNet RM*, VisuNet PC* or Box Thin Client BTC* product families should follow these guidelines:

  • Pepperl+Fuchs HMI devices should be segregated from enterprise networks and the Internet.
  • Preconfigured server connections / websites should be restricted to secured and trusted servers. The use of secure protocols, e.g. HTTPS, is recommended.
  • In case websites are configured in kiosk mode, it should be ensured that whitelisted websites do not redirect to untrusted servers / websites.
  • For VisuNet RM* and Box Thin Client with Shell 4.x, update 18-33537, which includes Windows security updates published by Microsoft, is available on the Pepperl+Fuchs website.
  • For VisuNet PC* systems with Microsoft Windows operating systems, Microsoft offers security updates, which can be downloaded from the Microsoft website.

Please note that the Microsoft security updates directly affect machine code execution on the CPU. Users should be aware that installing these patches might negatively affect system performance and/or system stability.

This advisory will be updated as further details and/or software updates become available.

Reported by

Jann Horn (Google Project Zero), Werner Haas, Thomas Prescher (Cyberus Technology), Daniel Gruss, Moritz Lipp, Stefan Mangard, Michael Schwarz (Graz University of Technology) published the Meltdown attack on https://meltdownattack.com/.

Jann Horn (Google Project Zero) and Paul Kocher, Daniel Genkin (University of Pennsylvania and University of Maryland), Mike Hamburg (Rambus), Moritz Lipp (Graz University of Technology), and Yuval Yarom (University of Adelaide and Data61) published the Spectre attack on https://meltdownattack.com/.

Pepperl+Fuchs reported the vulnerability to CERT@VDE.