VDE-2018-008 | CERT@VDE

2018-07-06 15:37 (CEST) VDE-2018-008

Pepperl+Fuchs: Remote Code Execution Vulnerability in HMI Devices

Share: Email | Twitter

ID

VDE-2018-008

Published

2018-07-06 15:37 (CEST)

Last update

2018-07-06 15:37 (CEST)

Vendor(s)

Pepperl+Fuchs SE

Product(s)

Article No°	Product Name	Affected Version(s)
	Box Thin Client BTC*	<= current version
	VisuNet PC*	<= current version
	VisuNet RM*	<= current version

Summary

A remote code execution vulnerability in the Microsoft's Credential Security Support Provider protocol (CredSSP) was identified by security researchers. If exploited successfully, it is possible to relay user credentials for arbitrary code execution on the target system.

See details on Microsoft Advisory CVE-2018-0866 (https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-0886)

CVE ID

CVE-2018-0886

Last Update:

Jan. 31, 2020, 2:56 p.m.

Severity

7.0 (CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H)

Weakness

Improper Authentication (CWE-287)

Summary

The Credential Security Support Provider protocol (CredSSP) in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1 and RT 8.1, Windows Server 2012 and R2, Windows 10 Gold, 1511, 1607, 1703, and 1709 Windows Server 2016 and Windows Server, version 1709 allows a remote code execution vulnerability due to how CredSSP validates request during the authentication process, aka "CredSSP Remote Code Execution Vulnerability".

Details

nvd.nist.gov

Impact

A successful vulnerability exploitation enables an attacker to execute arbitrary code and get access to sensitive data, e.g. passwords of the compromised system. The vulnerability allows the attacker to intercept the initial RDP connection between a client and a remote-server. Then an attacker can relay user credentials to a target system and thus get complete Man in the Middle control over a session. A stolen session can be abused to run arbitrary code or commands on the target server on behalf of the user. In consequence for user sessions with sufficient privileges malicious code execution e.g. with local administrator privileges is enabled. This implies that an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Solution

Customers using Pepperl+Fuchs HMI devices out of VisuNet RM*, VisuNet PC* or Box Thin Client BTC* product families should follow these guidelines:

Pepperl+Fuchs HMI devices running RM Shell 4 should be updated with RM Image 4 Security Patches 01/2017 to 05/2018 (18-33400C): https://www.pepperl-fuchs.com/cgi-bin/db/doci.pl/?ShowDocByDocNo=18-33400c
Pepperl+Fuchs HMI devices running RM Shell 5 should be updated with RM Image 5 Security: Windows Cumulative Security Patch 07/2018 (18-33624): https://www.pepperl-fuchs.com/cgi-bin/db/doci.pl/?ShowDocByDocNo=18-33624
Pepperl+Fuchs HMI devices running Windows 7 or Windows 10 should be updated by using the Windows Update mechanism.
After deploying the patch all connected third-party clients or servers must use the latest version of the CredSSP protocol.

Be aware of installing these patches, because security will be enforced by the update. Security by default restriction might result in an error due to encryption oracle remediation. Updates should be installed on both the server and the HMI device; otherwise, system compatibility might be influenced.

This advisory will be updated as further details and/or software updates become available.

Reported by

Eyal Karni, Yaron Zinar, Roman Blachman @ Preempt, Research Labs reported these vulnerabilities to PEPPERL+FUCHS.