PEPPERL+FUCHS Remote code execution vulnerability in HMI devices

Security advisory for Pepperl+Fuchs devices of the series VisuNet RM*, VisuNet PC*, Box Thin Client BTC* regarding the vulnerability of Microsofts Remote Desktop Services (RDP) CVE-2019-0708.

VDE-2019-011 (2019-05-29 10:25 UTC+0200)

CVE Identifier

CVE-2019-0708

Affected Vendors

PEPPERL+FUCHS

Affected Products

VisuNet RM*
VisuNet PC*
Box Thin Client BTC*

Vulnerability Type

Input Validation (CWE-20)

Summary

A remote code execution vulnerability exists in Remote Desktop Services – formerly known as Terminal Services – when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests. This vulnerability is pre- authentication and requires no user interaction. An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system.
To exploit this vulnerability, an attacker would need to send a specially crafted request to the target systems Remote Desktop Service via RDP.
See details on Microsoft Advisory CVE-2019-0708 (https://portal.msrc.microsoft.com/en- US/security-guidance/advisory/CVE-2019-0708)

Impact

VisuNet RM Shell 3 devices based on a Windows XP Embedded system do not contain the Remote Desktop Services and therefore this vulnerability could not be used by an attacker.

At VisuNet RM Shell 4 devices the Remote Desktop Services are disabled by default and therefore this vulnerability could not be used by an attacker. It could only be used when the device Administrator enabled the Remote Desktop Services after commissioning.

At VisuNet PC devices with Windows XP or Windows 7 it should be verified if this service is disabled.

Systems with enabled Network Level Authentication (NLA) are only partially affected, as NLA requires authentication before the vulnerability can be triggered. However these systems are still vulnerable to Remote Code Execution (RCE) if the attacker has valid credentials.

VisuNet RM Shell 5 devices and VisuNet PC devices running Windows 10 are not affected by this vulnerability.

Solution

Customers using Pepperl+Fuchs HMI devices out of VisuNet RM*, VisuNet PC* or Box Thin Client BTC* product families should follow these guidelines:

  • Pepperl+Fuchs HMI devices running Windows XP and 7 should be updated by using the Windows Update mechanism.

  • Pepperl+Fuchs HMI devices running RM Shell 4 with enabled Remote Desktop Services should be updated with RM Image 4 Security Patches 01/2017 to 05/2019 (18-33400E): https://www.pepperl-fuchs.com/cgi- bin/db/doci.pl/?ShowDocByDocNo=18-33400E

    For RM Shell 4 devices with disabled Remote Desktop Services (default commissioning state) this update is optional.

Reported by

For support please contact your local Pepperl+Fuchs sales representative.