PEPPERL+FUCHS has a list of guidelines to follow to help mitigate an improper authentication vulnerability in its VisuNet RM, VisuNet PC and Box Thin Client (BTC), according to a report with NCCIC.
Successful exploitation of this vulnerability, discovered by Eyal Karni, Yaron Zinar, and Roman Blachman with Preempt Research Labs, could allow attackers to intercept sensitive communications, establish a man-in-the-middle attack, achieve administrator privileges, and execute remote code.
The following PEPPERL+FUCHS product families suffer from the issue:
• VisuNet RM All models
• VisuNet PC All models
• BTC All models
In the issue, an authentication vulnerability within CredSSP may allow interception of user credentials resulting in remote code execution.
CVE-2018-0886 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 7.5.
The products see action mainly in the communications, critical manufacturing and information technology sectors. It also sees use on a global basis.
No known public exploits specifically target this vulnerability. This vulnerability is not exploitable remotely. High skill level is needed to exploit.
Germany-based PEPPRL+FUCHS recommends users using HMI devices within VisuNet RM, VisuNet PC or BTC product families follow these guidelines:
• PEPPRL+FUCHS HMI devices running RM Shell 4 should be updated with ‘RM Image 4 Security Patches 01/2017 to 05/2018’ (18-33400C).
• PEPPRL+FUCHS HMI devices running RM Shell 5 should be updated with ‘RM Image 5 Security: Windows Cumulative Security Patch 07/2018’ (18-33624).
• PEPPRL+FUCHS HMI devices running Windows 7 or Windows 10 should be updated by using the Windows Update mechanism. See Microsoft’s security bulletin for more information.
• After deploying the patch, all connected third-party clients or servers must use the latest version of the CredSSP protocol.
• Be aware of the importance of installing these patches, as security will be enforced by the update. Security by default restriction might result in an error due to encryption oracle remediation. Updates should be installed on the server and the HMI device, otherwise system compatibility might be influenced.
For more information, CERT@VDE released a security advisory.