Pepperl+Fuchs human-machine interface (HMI) products are vulnerable to Meltdown and Spectre, according to a report with the German VDE CERT.
Pepperl+Fuchs said its VisuNet and Box Thin Client HMI devices rely on Intel CPUs, which makes them vulnerable to Meltdown and Spectre attacks. Affected products include: VisuNet RM, VisuNet PC, and Box Thin Client BTC.
Pepperl+Fuchs said impacted devices are designed for use on industrial control system (ICS) networks, and they should be isolated from the enterprise network and not directly accessible from the Internet.
In order to exploit these vulnerabilities, an attacker needs to be able to execute arbitrary code on the CPU of the target system, according to VDE CERT.
“Additionally, VisuNet HMI devices use a kiosk mode for normal operation. Within this mode access policies of thin client based VisuNet Remote Monitors and Box Thin Clients are restricted, such that users can only access predefined servers,” VDE CERT said in a post.
Pepperl+Fuchs said these measures should greatly reduce the risk of attacks. However, if direct Internet access is allowed and a user is tricked into visiting a malicious website, an attacker may be able to execute arbitrary code and obtain data from the HMI device’s memory, including passwords.
Pepperl+Fuchs has released some updates that include the Windows patches for Meltdown and Spectre provided by Microsoft. However, the vendor has warned customers the fixes could have a negative impact on performance and stability.