VDE-2018-002

Vulnerability from csaf_pepperlfuchsse - Published: 2018-02-14 08:50 - Updated: 2025-05-14 12:28
Summary
Pepperl+Fuchs: HMI devices vulnerable to Meltdown and Spectre Attacks
Notes
Summary: Critical vulnerabilities within several CPUs have been identified by security researchers. These hardware vulnerabilities allow programs to learn about the contents of a system's memory, using side-channel attacks. Potential attack vectors against these vulnerabilities have been published and dubbed Meltdown and Spectre. While programs are typically not permitted to read data from the OS kernel or from other programs, a malicious program can exploit Meltdown and Spectre to get hold of secrets stored in kernel memory or the memory of other programs executed on the same CPU. As a consequence, an exploit could allow attackers to get access to any sensitive data, including passwords or cryptographic keys.
Impact: Pepperl+Fuchs analysed their HMI products in respect of the Meltdown and Spectre attacks. To the vendor's current knowledge, their VisuNet and Box Thin Client HMI devices, based on an Intel® CPU, are potentially affected by these vulnerabilities. In order to exploit these vulnerabilities, an attacker needs to be able to execute arbitrary code on the CPU of the target system. Since Pepperl+Fuchs HMI devices are designed and intended to be used in Industrial Control System networks, typically these devices are segregated from enterprise networks and do not have direct internet access. Additionally, VisuNet HMI devices use a kiosk mode for normal operation. Within this mode access policies of thin client based VisuNet Remote Monitors and Box Thin Clients are restricted, such that users can only access predefined servers. This implies that outgoing connections and local software installations have to be configured by administrators. Hence, operators are restricted in a way such that they can only use the system as configured by administrators. If these steps are taken, this greatly reduces the risk of unwittingly accessing malicious content and executing unknown code, e.g. by accessing a website that was prepared by an attacker. However, if a malicious website is accessed, the attacker could gain knowledge of all data in the memory of the HMI device, including passwords.
Remediation: Pepperl+Fuchs recommend users of their HMI devices of the VisuNet RM*, VisuNet PC* or Box Thin Client BTC* product families should follow these guidelines: Pepperl+Fuchs HMI devices should be segregated from enterprise networks and the Internet. Preconfigured server connections / websites should be restricted to secured and trusted servers. The use of secure protocols, e.g. HTTPS, is recommended. In case websites are configured in kiosk mode, it should be ensured that whitelisted websites do not redirect to untrusted servers / websites. For VisuNet RM* and Box Thin Client with Shell 4.x, update 18-33537, which includes Windows security updates published by Microsoft, is available on the Pepperl+Fuchs website. For VisuNet PC* systems with Microsoft Windows operating systems, Microsoft offers security updates, which can be downloaded from the Microsoft website. Please note that the Microsoft security updates directly affect machine code execution on the CPU. Users should be aware that installing these patches might negatively affect system performance and/or system stability. This advisory will be updated as further details and/or software updates become available.
CVE-2017-5753

Systems with microprocessors utilizing speculative execution and branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis.

5.6 (Medium)
CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N
CWE-203 - Observable Discrepancy
Vendor Fix Pepperl+Fuchs recommend users of their HMI devices of the VisuNet RM*, VisuNet PC* or Box Thin Client BTC* product families should follow these guidelines: Pepperl+Fuchs HMI devices should be segregated from enterprise networks and the Internet. Preconfigured server connections / websites should be restricted to secured and trusted servers. The use of secure protocols, e.g. HTTPS, is recommended. In case websites are configured in kiosk mode, it should be ensured that whitelisted websites do not redirect to untrusted servers / websites. For VisuNet RM* and Box Thin Client with Shell 4.x, update 18-33537, which includes Windows security updates published by Microsoft, is available on the Pepperl+Fuchs website. For VisuNet PC* systems with Microsoft Windows operating systems, Microsoft offers security updates, which can be downloaded from the Microsoft website. Please note that the Microsoft security updates directly affect machine code execution on the CPU. Users should be aware that installing these patches might negatively affect system performance and/or system stability. This advisory will be updated as further details and/or software updates become available.
CVE-2017-5754

Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis of the data cache.

5.6 (Medium)
CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N
CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Vendor Fix Pepperl+Fuchs recommend users of their HMI devices of the VisuNet RM*, VisuNet PC* or Box Thin Client BTC* product families should follow these guidelines: Pepperl+Fuchs HMI devices should be segregated from enterprise networks and the Internet. Preconfigured server connections / websites should be restricted to secured and trusted servers. The use of secure protocols, e.g. HTTPS, is recommended. In case websites are configured in kiosk mode, it should be ensured that whitelisted websites do not redirect to untrusted servers / websites. For VisuNet RM* and Box Thin Client with Shell 4.x, update 18-33537, which includes Windows security updates published by Microsoft, is available on the Pepperl+Fuchs website. For VisuNet PC* systems with Microsoft Windows operating systems, Microsoft offers security updates, which can be downloaded from the Microsoft website. Please note that the Microsoft security updates directly affect machine code execution on the CPU. Users should be aware that installing these patches might negatively affect system performance and/or system stability. This advisory will be updated as further details and/or software updates become available.
CVE-2017-5715

Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis of the data cache.

5.6 (Medium)
CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N
CWE-203 - Observable Discrepancy
Vendor Fix Pepperl+Fuchs recommend users of their HMI devices of the VisuNet RM*, VisuNet PC* or Box Thin Client BTC* product families should follow these guidelines: Pepperl+Fuchs HMI devices should be segregated from enterprise networks and the Internet. Preconfigured server connections / websites should be restricted to secured and trusted servers. The use of secure protocols, e.g. HTTPS, is recommended. In case websites are configured in kiosk mode, it should be ensured that whitelisted websites do not redirect to untrusted servers / websites. For VisuNet RM* and Box Thin Client with Shell 4.x, update 18-33537, which includes Windows security updates published by Microsoft, is available on the Pepperl+Fuchs website. For VisuNet PC* systems with Microsoft Windows operating systems, Microsoft offers security updates, which can be downloaded from the Microsoft website. Please note that the Microsoft security updates directly affect machine code execution on the CPU. Users should be aware that installing these patches might negatively affect system performance and/or system stability. This advisory will be updated as further details and/or software updates become available.
References
Acknowledgments
CERT@VDE
Google Project Zero Jann Horn
Cyberus Technology Werner Haas Thomas Prescher
Graz University of Technology Daniel Gruss Moritz Lipp Stefan Mangard Michael Schwarz
Rambus Mike Hamburg
University of Adelaide and Data61 Yuval Yarom
University of Pennsylvania and University of Maryland Paul Kocher Daniel Genkin
To clipboard 

{
  "document": {
    "acknowledgments": [
      {
        "organization": "CERT@VDE",
        "summary": "coordination"
      },
      {
        "names": [
          "Jann Horn"
        ],
        "organization": "Google Project Zero",
        "summary": "discovery"
      },
      {
        "names": [
          "Werner Haas",
          "Thomas Prescher"
        ],
        "organization": "Cyberus Technology",
        "summary": "discovery"
      },
      {
        "names": [
          "Daniel Gruss",
          "Moritz Lipp",
          "Stefan Mangard",
          "Michael Schwarz"
        ],
        "organization": "Graz University of Technology",
        "summary": "discovery"
      },
      {
        "names": [
          "Mike Hamburg"
        ],
        "organization": "Rambus",
        "summary": "discovery"
      },
      {
        "names": [
          "Yuval Yarom"
        ],
        "organization": "University of Adelaide and Data61",
        "summary": "discovery"
      },
      {
        "names": [
          "Paul Kocher",
          "Daniel Genkin"
        ],
        "organization": "University of Pennsylvania and University of Maryland",
        "summary": "discovery"
      }
    ],
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en-GB",
    "notes": [
      {
        "category": "summary",
        "text": "Critical vulnerabilities within several CPUs have been identified by security researchers. These hardware vulnerabilities allow programs to learn about the contents of a system\u0027s memory, using side-channel attacks. Potential attack vectors against these vulnerabilities have been published and dubbed Meltdown and Spectre. While programs are typically not permitted to read data from the OS kernel or from other programs, a malicious program can exploit Meltdown and Spectre to get hold of secrets stored in kernel memory or the memory of other programs executed on the same CPU. As a consequence, an exploit could allow attackers to get access to any sensitive data, including passwords or cryptographic keys.",
        "title": "Summary"
      },
      {
        "category": "description",
        "text": "Pepperl+Fuchs analysed their HMI products in respect of the Meltdown and Spectre attacks. To the vendor\u0027s current knowledge, their VisuNet and Box Thin Client HMI devices, based on an Intel\u00ae CPU, are potentially affected by these vulnerabilities.\n\nIn order to exploit these vulnerabilities, an attacker needs to be able to execute arbitrary code on the CPU of the target system.\n\nSince Pepperl+Fuchs HMI devices are designed and intended to be used in Industrial Control System networks, typically these devices are segregated from enterprise networks and do not have direct internet access. Additionally, VisuNet HMI devices use a kiosk mode for normal operation. Within this mode access policies of thin client based VisuNet Remote Monitors and Box Thin Clients are restricted, such that users can only access predefined servers. This implies that outgoing connections and local software installations have to be configured by administrators. Hence, operators are restricted in a way such that they can only use the system as configured by administrators. If these steps are taken, this greatly reduces the risk of unwittingly accessing malicious content and executing unknown code, e.g. by accessing a website that was prepared by an attacker.\n\nHowever, if a malicious website is accessed, the attacker could gain knowledge of all data in the memory of the HMI device, including passwords.",
        "title": "Impact"
      },
      {
        "category": "description",
        "text": "Pepperl+Fuchs recommend users of their HMI devices of the VisuNet RM*, VisuNet PC* or Box Thin Client BTC* product families should follow these guidelines:\n\nPepperl+Fuchs HMI devices should be segregated from enterprise networks and the Internet.\nPreconfigured server connections / websites should be restricted to secured and trusted servers. The use of secure protocols, e.g. HTTPS, is recommended.\nIn case websites are configured in kiosk mode, it should be ensured that whitelisted websites do not redirect to untrusted servers / websites.\nFor VisuNet RM* and Box Thin Client with Shell 4.x, update 18-33537, which includes Windows security updates published by Microsoft, is available on the Pepperl+Fuchs website.\nFor VisuNet PC* systems with Microsoft Windows operating systems, Microsoft offers security updates, which can be downloaded from the Microsoft website.\nPlease note that the Microsoft security updates directly affect machine code execution on the CPU. Users should be aware that installing these patches might negatively affect system performance and/or system stability.\nThis advisory will be updated as further details and/or software updates become available.",
        "title": "Remediation"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "cert@pepperl-fuchs.com",
      "name": "Pepperl+Fuchs SE",
      "namespace": "https://www.pepperl-fuchs.com"
    },
    "references": [
      {
        "summary": "Meltdown attack",
        "url": "https://meltdownattack.com/"
      },
      {
        "category": "external",
        "summary": "CERT@VDE Security Advisories for Pepperl+Fuchs",
        "url": "https://certvde.com/en/advisories/vendor/pepperl+fuchs/"
      },
      {
        "category": "self",
        "summary": "VDE-2018-002: Pepperl+Fuchs: HMI devices vulnerable to Meltdown and Spectre Attacks - HTML",
        "url": "https://certvde.com/de/advisories/VDE-2018-002/"
      },
      {
        "category": "self",
        "summary": "VDE-2018-002: Pepperl+Fuchs: HMI devices vulnerable to Meltdown and Spectre Attacks - CSAF",
        "url": "https://pepperl-fuchs.csaf-tp.certvde.com/.well-known/csaf/white/2018/vde-2018-002.json"
      }
    ],
    "title": "Pepperl+Fuchs: HMI devices vulnerable to Meltdown and Spectre Attacks",
    "tracking": {
      "aliases": [
        "VDE-2018-002"
      ],
      "current_release_date": "2025-05-14T12:28:19.000Z",
      "generator": {
        "date": "2024-06-17T13:29:17.244Z",
        "engine": {
          "name": "Secvisogram",
          "version": "2.5.6"
        }
      },
      "id": "VDE-2018-002",
      "initial_release_date": "2018-02-14T08:50:00.000Z",
      "revision_history": [
        {
          "date": "2018-02-14T08:50:00.000Z",
          "number": "1",
          "summary": "Initial revision."
        },
        {
          "date": "2024-11-06T11:27:01.000Z",
          "number": "2",
          "summary": "Fix: added self-reference, correct certvde domain, aliases"
        },
        {
          "date": "2025-05-14T12:28:19.000Z",
          "number": "3",
          "summary": "Fix: version term, reference category"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "branches": [
                  {
                    "category": "product_version_range",
                    "name": "vers:all/*",
                    "product": {
                      "name": "Box Thin Client BTC all versions",
                      "product_id": "CSAFPID-11001"
                    }
                  }
                ],
                "category": "product_name",
                "name": "Box Thin Client BTC"
              },
              {
                "branches": [
                  {
                    "category": "product_version_range",
                    "name": "vers:all/*",
                    "product": {
                      "name": "VisuNet PC all versions",
                      "product_id": "CSAFPID-11002"
                    }
                  }
                ],
                "category": "product_name",
                "name": "VisuNet PC"
              },
              {
                "branches": [
                  {
                    "category": "product_version_range",
                    "name": "vers:all/*",
                    "product": {
                      "name": "VisuNet RM all versions",
                      "product_id": "CSAFPID-11003"
                    }
                  }
                ],
                "category": "product_name",
                "name": "VisuNet RM"
              }
            ],
            "category": "product_family",
            "name": "Hardware"
          }
        ],
        "category": "vendor",
        "name": "Pepperl+Fuchs"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2017-5753",
      "cwe": {
        "id": "CWE-203",
        "name": "Observable Discrepancy"
      },
      "notes": [
        {
          "category": "description",
          "text": "Systems with microprocessors utilizing speculative execution and branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis.",
          "title": "Vulnerability Description"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-11001",
          "CSAFPID-11002",
          "CSAFPID-11003"
        ]
      },
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "Pepperl+Fuchs recommend users of their HMI devices of the VisuNet RM*, VisuNet PC* or Box Thin Client BTC* product families should follow these guidelines:\n\nPepperl+Fuchs HMI devices should be segregated from enterprise networks and the Internet.\nPreconfigured server connections / websites should be restricted to secured and trusted servers. The use of secure protocols, e.g. HTTPS, is recommended.\nIn case websites are configured in kiosk mode, it should be ensured that whitelisted websites do not redirect to untrusted servers / websites.\nFor VisuNet RM* and Box Thin Client with Shell 4.x, update 18-33537, which includes Windows security updates published by Microsoft, is available on the Pepperl+Fuchs website.\nFor VisuNet PC* systems with Microsoft Windows operating systems, Microsoft offers security updates, which can be downloaded from the Microsoft website.\nPlease note that the Microsoft security updates directly affect machine code execution on the CPU. Users should be aware that installing these patches might negatively affect system performance and/or system stability.\n\nThis advisory will be updated as further details and/or software updates become available.",
          "product_ids": [
            "CSAFPID-11001",
            "CSAFPID-11002",
            "CSAFPID-11003"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 5.6,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "environmentalScore": 5.6,
            "environmentalSeverity": "MEDIUM",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "temporalScore": 5.6,
            "temporalSeverity": "MEDIUM",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N",
            "version": "3.0"
          },
          "products": [
            "CSAFPID-11001",
            "CSAFPID-11002",
            "CSAFPID-11003"
          ]
        }
      ],
      "title": "CVE-2017-5753"
    },
    {
      "cve": "CVE-2017-5754",
      "cwe": {
        "id": "CWE-200",
        "name": "Exposure of Sensitive Information to an Unauthorized Actor"
      },
      "notes": [
        {
          "category": "description",
          "text": "Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis of the data cache.",
          "title": "Vulnerability Description"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-11001",
          "CSAFPID-11002",
          "CSAFPID-11003"
        ]
      },
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "Pepperl+Fuchs recommend users of their HMI devices of the VisuNet RM*, VisuNet PC* or Box Thin Client BTC* product families should follow these guidelines:\n\nPepperl+Fuchs HMI devices should be segregated from enterprise networks and the Internet.\nPreconfigured server connections / websites should be restricted to secured and trusted servers. The use of secure protocols, e.g. HTTPS, is recommended.\nIn case websites are configured in kiosk mode, it should be ensured that whitelisted websites do not redirect to untrusted servers / websites.\nFor VisuNet RM* and Box Thin Client with Shell 4.x, update 18-33537, which includes Windows security updates published by Microsoft, is available on the Pepperl+Fuchs website.\nFor VisuNet PC* systems with Microsoft Windows operating systems, Microsoft offers security updates, which can be downloaded from the Microsoft website.\nPlease note that the Microsoft security updates directly affect machine code execution on the CPU. Users should be aware that installing these patches might negatively affect system performance and/or system stability.\n\nThis advisory will be updated as further details and/or software updates become available.",
          "product_ids": [
            "CSAFPID-11001",
            "CSAFPID-11002",
            "CSAFPID-11003"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 5.6,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "environmentalScore": 5.6,
            "environmentalSeverity": "MEDIUM",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "temporalScore": 5.6,
            "temporalSeverity": "MEDIUM",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N",
            "version": "3.0"
          },
          "products": [
            "CSAFPID-11001",
            "CSAFPID-11002",
            "CSAFPID-11003"
          ]
        }
      ],
      "title": "CVE-2017-5754"
    },
    {
      "cve": "CVE-2017-5715",
      "cwe": {
        "id": "CWE-203",
        "name": "Observable Discrepancy"
      },
      "notes": [
        {
          "category": "description",
          "text": "Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis of the data cache.",
          "title": "Vulnerability Description"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-11001",
          "CSAFPID-11002",
          "CSAFPID-11003"
        ]
      },
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "Pepperl+Fuchs recommend users of their HMI devices of the VisuNet RM*, VisuNet PC* or Box Thin Client BTC* product families should follow these guidelines:\n\nPepperl+Fuchs HMI devices should be segregated from enterprise networks and the Internet.\nPreconfigured server connections / websites should be restricted to secured and trusted servers. The use of secure protocols, e.g. HTTPS, is recommended.\nIn case websites are configured in kiosk mode, it should be ensured that whitelisted websites do not redirect to untrusted servers / websites.\nFor VisuNet RM* and Box Thin Client with Shell 4.x, update 18-33537, which includes Windows security updates published by Microsoft, is available on the Pepperl+Fuchs website.\nFor VisuNet PC* systems with Microsoft Windows operating systems, Microsoft offers security updates, which can be downloaded from the Microsoft website.\nPlease note that the Microsoft security updates directly affect machine code execution on the CPU. Users should be aware that installing these patches might negatively affect system performance and/or system stability.\n\nThis advisory will be updated as further details and/or software updates become available.",
          "product_ids": [
            "CSAFPID-11001",
            "CSAFPID-11002",
            "CSAFPID-11003"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 5.6,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "environmentalScore": 5.6,
            "environmentalSeverity": "MEDIUM",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "temporalScore": 5.6,
            "temporalSeverity": "MEDIUM",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N",
            "version": "3.0"
          },
          "products": [
            "CSAFPID-11001",
            "CSAFPID-11002",
            "CSAFPID-11003"
          ]
        }
      ],
      "title": "CVE-2017-5715"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.