Share: Email | Twitter

ID

VDE-2024-065

Published

2024-11-26 11:00 (CET)

Last update

2024-11-26 15:13 (CET)

Vendor(s)

Pepperl+Fuchs SE

Product(s)

Article No° Product Name Affected Version(s)
BTC22-NA-1BA1-NN0 < BIOS 1.01
BTC22-NA-1BAJ-NN0 < BIOS 1.01
BTC24-NA-1AA1-NN0 < BIOS 1.01
BTC24-NA-1AAJ-NN0 < BIOS 1.01
PC-320* < BIOS 1.02
RM-320* < BIOS 1.02

Summary

A vulnerability in the use of hard-coded Platform Keys (PK) within the UEFI framework, known as PKfail, has been discovered in several Pepperl+Fuchs devices.


Last Update:

18. November 2024 14:13

Weakness

Use of Default Cryptographic Key  (CWE-1394) 

Summary

A vulnerability related to the use an insecure Platform Key (PK) has been discovered. An attacker with the compromised PK private key can create malicious UEFI software that is signed with a trusted key that has been compromised.

 


Impact

An attacker with the compromised PK private key can create malicious UEFI software that is signed with a trusted key that has been compromised.

Solution

Mitigation

Protect the device from unauthorized physical access.

Remediation

Install the appropiate updates from the Pepperl+Fuchs Homepage:

  • 18-34761B (BIOS 1.01) for BTC22-*
  • 18-35033B (BIOS 1.01) for BTC24-*
  • 18-34132C (BIOS 1.02) for RM-320*
  • 18-34132C / 18-34133E (BIOS 1.02) for PC320*

Reported by

CERT@VDE coordinated with Pepperl+Fuchs SE