Share: Email | Twitter

ID

VDE-2018-008

Published

2018-07-06 15:37 (CEST)

Last update

2018-07-06 15:37 (CEST)

Vendor(s)

Pepperl+Fuchs SE

Product(s)

Article No° Product Name Affected Version(s)
Box Thin Client BTC* <= current version
VisuNet PC* <= current version
VisuNet RM* <= current version

Summary

A remote code execution vulnerability in the Microsoft's Credential Security Support Provider protocol (CredSSP) was identified by security researchers. If exploited successfully, it is possible to relay user credentials for arbitrary code execution on the target system.

See details on Microsoft Advisory CVE-2018-0866 (https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-0886)


Last Update:

Jan. 31, 2020, 2:56 p.m.

Weakness

Improper Authentication  (CWE-287) 

Summary

The Credential Security Support Provider protocol (CredSSP) in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1 and RT 8.1, Windows Server 2012 and R2, Windows 10 Gold, 1511, 1607, 1703, and 1709 Windows Server 2016 and Windows Server, version 1709 allows a remote code execution vulnerability due to how CredSSP validates request during the authentication process, aka "CredSSP Remote Code Execution Vulnerability".

Impact

A successful vulnerability exploitation enables an attacker to execute arbitrary code and get access to sensitive data, e.g. passwords of the compromised system. The vulnerability allows the attacker to intercept the initial RDP connection between a client and a remote-server. Then an attacker can relay user credentials to a target system and thus get complete Man in the Middle control over a session. A stolen session can be abused to run arbitrary code or commands on the target server on behalf of the user. In consequence for user sessions with sufficient privileges malicious code execution e.g. with local administrator privileges is enabled. This implies that an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Solution

Customers using Pepperl+Fuchs HMI devices out of VisuNet RM*, VisuNet PC* or Box Thin Client BTC* product families should follow these guidelines:

Be aware of installing these patches, because security will be enforced by the update. Security by default restriction might result in an error due to encryption oracle remediation. Updates should be installed on both the server and the HMI device; otherwise, system compatibility might be influenced. 

This advisory will be updated as further details and/or software updates become available.

Reported by

Eyal Karni, Yaron Zinar, Roman Blachman @ Preempt, Research Labs reported these vulnerabilities to PEPPERL+FUCHS.