PEPPERL+FUCHS Remote code execution vulnerability in HMI devices (Update A)

VDE-2019-011 (2019-05-29 10:35 UTC+0200)

Affected Vendors

PEPPERL+FUCHS

Affected Products

VisuNet RM*, VisuNet PC*, Box Thin Client BTC*

(All products within these families)

Vulnerability Type

Input Validation (CWE-20)

Summary

A remote code execution vulnerability exists in Remote Desktop Services – formerly known as Terminal Services – when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests. This vulnerability is pre- authentication and requires no user interaction. An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system.
To exploit this vulnerability, an attacker would need to send a specially crafted request to the target systems Remote Desktop Service via RDP.
See details on Microsoft's advisories:

Update A, 07.10.2019

  • Added CVE-2019-1181 + CVE-2019-1182 to Summary
  • Removed line "VisuNet RM Shell 5 devices and VisuNet PC devices running Windows 10 are not affected by this vulnerability." from Impact.
  • Added "RM Shell 5 devices" info to Solution

Impact

VisuNet RM Shell 3 devices based on a Windows XP Embedded system do not contain the Remote Desktop Services and therefore this vulnerability could not be used by an attacker.

At VisuNet RM Shell 4 devices the Remote Desktop Services are disabled by default and therefore this vulnerability could not be used by an attacker. It could only be used when the device Administrator enabled the Remote Desktop Services after commissioning.

At VisuNet PC devices with Windows XP, Windows 7 or Windows 10 it should be verified if these services are disabled.

Systems with enabled Network Level Authentication (NLA) are only partially affected, as NLA requires authentication before the vulnerability can be triggered. However these systems are still vulnerable to Remote Code Execution (RCE) if the attacker has valid credentials.

Solution

Customers using Pepperl+Fuchs HMI devices out of VisuNet RM*, VisuNet PC* or Box Thin Client BTC* product families should follow these guidelines:

  • Pepperl+Fuchs HMI devices running Windows XP, Windows 7 or Windows 10 should be updated by using the Windows Update mechanism.
  • Pepperl+Fuchs HMI devices running RM Shell 4 with enabled Remote Desktop Services should be updated with newest RM Image 4 Security Patches 01/2017 to 09/2019 (18-33400G): https://www.pepperl-fuchs.com/cgi- bin/db/doci.pl/?ShowDocByDocNo=18-33400
    For RM Shell 4 devices with disabled Remote Desktop Services (default
    commissioning state) this update is optional, but recommended.
  • Pepperl+Fuchs HMI devices running RM Shell 5 with enabled Remote Desktop
    Services should be updated with RM Image 5 Security Patches 09/2019 (18- 33624E): https://www.pepperl-fuchs.com/cgi- bin/db/doci.pl/?ShowDocByDocNo=18-33624
    For RM Shell 5 devices with disabled Remote Desktop Services (default commissioning state) this update is optional, but recommended.

For support please contact your local Pepperl+Fuchs sales representative.

Reported by

Pepperl+Fuchs reported this vulnerability to CERT@VDE.