Beckhoff produced a new build and security advisories in 2014 with instructions to mitigate vulnerabilities in its Embedded PC Images and TwinCAT Components, according to a report on ICS-CERT.
Marko Schuba from FH Aachen University of Applied Sciences identified the remotely exploitable vulnerabilities, published them and reported them to Beckhoff afterward.
Beckhoff said the vulnerabilities may affect the following products:
• All Beckhoff Embedded PC Images with a creation date prior to October 22, 2014
• All TwinCAT Components featuring Automation Device Specification (ADS) communication
If used without proper protection, an attacker may misuse those services to gain unauthorized access to systems or read and manipulate transmitted information, especially passwords. Attackers may use ADS protocol to rapidly probe a large number of user or password combinations.
Beckhoff is a German-based company.
Beckhoff Embedded PCs are hardware PC products meant to be in control cabinets and configured to function in different ways in an industrial control system.
Beckhoff TwinCAT is a software product that can allow a PC to function as a real-time controller. These products see action across several sectors including critical manufacturing, energy, and water and wastewater systems. Beckhoff estimates these products see use on a global basis.
Attackers may use ADS protocol to rapidly probe a large number of user or password combinations.
CVE-2014-5414 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 9.1.
In versions older than October 22, 2014, Beckhoff Images for Embedded PCs end up delivered with the Windows CE Remote Configuration Tool reachable, enabled CE Remote Display service, and enabled telnet service. Use of these services should only occur on trusted networks. If used without proper protection, an attacker may misuse those services to gain unauthorized access to systems or read and manipulate transmitted information, especially passwords. Precondition of the exploitation of those services is the attacker has access to the services at the corresponding network ports (TCP 80/987/23). This implies that the services are running.
CVE-2014-5415 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 9.1.
No known public exploits specifically target these vulnerabilities. However, an attacker with a low skill would be able to exploit these vulnerabilities.
Beckhoff recommends in their IPC Security Manual to use network and software firewalls to block all network ports except the ones needed. Beckhoff also recommends to change default passwords during commissioning before connecting systems to the network.
In their advisories (Advisory 2014-001, Advisory 2014-002, Advisory 2014-003, published November 17, 2014) for these issues, Beckhoff also recommends the following mitigation solutions:
• Update images to build October 22, 2014, or newer, which solve these problems by disabling the services by default.
• Disable the Windows CE Remote Configuration Tool by deleting the subtree “/remoteadmin.” The configuration of the web server paths can be found in the Windows registry at the path “HKEY_LOCAL_MACHINE\COMM\HTTPD\VROOTS\.”
• Disable startup of CE Remote Display service (cerdisp.exe) with deleting the registry key containing the “CeRDisp.exe” [-HKEY_LOCAL_MACHINE\init\Launch90].
• Disable telnet by setting the registry key [HKEY_LOCAL_MACHINE\Services\TELNETD\Flags] to dword: 4
• Restrict ADS communication to trusted networks only