VDE-2024-065 | CERT@VDE

2024-11-26 11:00 (CET) VDE-2024-065

PEPPERL+FUCHS: HMI devices are affected by Insecure Platform Key

Share: Email | Twitter

ID

VDE-2024-065

Published

2024-11-26 11:00 (CET)

Last update

2024-11-26 15:13 (CET)

Vendor(s)

Pepperl+Fuchs SE

Product(s)

Article No°	Product Name	Affected Version(s)
	BTC22-NA-1BA1-NN0	< BIOS 1.01
	BTC22-NA-1BAJ-NN0	< BIOS 1.01
	BTC24-NA-1AA1-NN0	< BIOS 1.01
	BTC24-NA-1AAJ-NN0	< BIOS 1.01
	PC-320*	< BIOS 1.02
	RM-320*	< BIOS 1.02

Summary

A vulnerability in the use of hard-coded Platform Keys (PK) within the UEFI framework, known as PKfail, has been discovered in several Pepperl+Fuchs devices.

CVE ID

CVE-2024-8105

Last Update:

Nov. 18, 2024, 2:13 p.m.

Severity

6.4 (CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H)

Weakness

Use of Default Cryptographic Key (CWE-1394)

Summary

A vulnerability related to the use an insecure Platform Key (PK) has been discovered. An attacker with the compromised PK private key can create malicious UEFI software that is signed with a trusted key that has been compromised.

Details

cert.vde.com

Impact

An attacker with the compromised PK private key can create malicious UEFI software that is signed with a trusted key that has been compromised.

Solution

Mitigation

Protect the device from unauthorized physical access.

Remediation

Install the appropiate updates from the Pepperl+Fuchs Homepage:

18-34761B (BIOS 1.01) for BTC22-*
18-35033B (BIOS 1.01) for BTC24-*
18-34132C (BIOS 1.02) for RM-320*
18-34132C / 18-34133E (BIOS 1.02) for PC320*

Reported by

CERT@VDE coordinated with Pepperl+Fuchs SE