Summary
Critical vulnerabilities have been discovered in the utilized component Remote Desktop Client by Microsoft.For more information see: msrc.microsoft.com/update-guide/vulne... 2022-21990
Impact
Pepperl+Fuchs analyzed and identified affected devices.
In the case of a Remote Desktop connection, an attacker with control of a Remote Desktop Server could trigger a remote code execution (RCE) on the RDP client machine when a victim connects to the attacking server with the vulnerable Remote Desktop Client.The impact of the vulnerabilities on the affected device may result in
code execution
With the products mentioned above, the connection can only be established to RDP servers that have already been preconfigured by the role administrator or engineer. The role operator can therefore not connect to a random RDP server.
Affected Product(s)
| Model no. | Product name | Affected versions |
|---|---|---|
| BTC11-*-TS3-* | Windows RM Shell Version 5.x, Windows 10 LTSC 2016 | |
| BTC12-*-TS2-* | Windows RM Shell Version 5.x, Windows 10 LTSC 2016 | |
| BTC12-*-TS3-* | Windows RM Shell Version 5.x, Windows 10 LTSC 2019 | |
| BTC14-*-TS2-* | Windows RM Shell Version 5.x, Windows 10 LTSC 2016 | |
| BTC14-*-TS3-* | Windows RM Shell Version 5.x, Windows 10 LTSC 2019 | |
| PAD-EX01P8DZ2EURC0508256WIFRMS | Windows RM Shell Version 5.x, Windows 10 LTSC 2019 | |
| Pepperl+Fuchs Hardware RM-GXP-*-T3-* | Windows RM Shell Version 5.x, Windows 10 LTSC 2019 | |
| Pepperl+Fuchs Software BTC11-*-TS2-* | Windows RM Shell Version 5.x, Windows 10 LTSC 2016 | |
| RM-320S-*-2-* | Windows RM Shell Version 5.x, Windows 10 LTSC 2019 | |
| RM-GXP-*-T2-* | Windows RM Shell Version 5.x, Windows 10 LTSC 2016 | |
| RM2xx-*-T6-* | Windows RM Shell Version 5.x, Windows 10 LTSC 2016 | |
| RM3207-*-T61-* | Windows RM Shell Version 5.x, Windows 10 LTSC 2016 | |
| RM32xx-*-T61-* | Windows RM Shell Version 5.x, Windows 10 LTSC 2016 | |
| RM37xx-*-T6-* | Windows RM Shell Version 5.x, Windows 10 LTSC 2016 | |
| RM82xx-*-T61-* | Windows RM Shell Version 5.x, Windows 10 LTSC 2016 | |
| RM87xx-*-T61-* | Windows RM Shell Version 5.x, Windows 10 LTSC 2016 | |
| RM9xx-*-T61-* | Windows RM Shell Version 5.x, Windows 10 LTSC 2016 | |
| UPGRADE-RMSHELL4-TO-SHELL5* | Windows RM Shell Version 5.x, Windows 10 LTSC 2016 | |
| UPGRADE-TO-SHELL5-2019-LTSC* | Windows RM Shell Version 5.x, Windows 10 LTSC 2019 |
Vulnerabilities
Expand / Collapse allRemote Desktop Client Remote Code Execution Vulnerability
Mitigation
The following external protective measured are required:
- Connect only to trusted RDP servers.
- Protect your RDP servers with anti-virus software and Intrusion Detection System (=IDS)
- Access control to RDP servers and the role administrator and engineer on the
affected device.
Remediation
Install the following firmware with security patches to fix this vulnerability.
For products with Windows 10 LTSB 2016:
RM Image 5 Windows Cumulative Security Patch 03/2022 (KB5011495)
- incl. 2021-09 Servicing Stack Update (KB5005698)
- incl. Microsoft .NET Framework 4.7.2 for x64 (KB4054590)
Link: www.pepperl-fuchs.com/cgi-bin/db/doci...
For products with Windows 10 LTSC 2019:
RM Image 5.5 Windows Cumulative Security Patch for LTSC 03/2022 (KB5011503)
- incl. 08/2021 Servicing Stack Update (KB5005112)
Link: www.pepperl-fuchs.com/cgi-bin/db/doci...
Please note that the links provided are managed and point to the latest firmware available
for VisuNet devices.
Revision History
| Version | Date | Summary |
|---|---|---|
| 1.0.0 | 26.04.2022 14:00 | Initial revision. |
| 1.1.0 | 16.05.2022 16:15 | Added firmware and security update details for Windows 10 LTSB 2016 and LTSC 2019. |