VDE-2018-008

Vulnerability from csaf_pepperlfuchsse - Published: 2018-07-06 13:37 - Updated: 2018-07-06 13:37
Summary
Pepperl+Fuchs: Remote Code Execution Vulnerability in HMI Devices
Notes
Summary: A remote code execution vulnerability in the Microsoft's Credential Security Support Provider protocol (CredSSP) was identified by security researchers. If exploited successfully, it is possible to relay user credentials for arbitrary code execution on the target system. See details on Microsoft Advisory CVE-2018-0866 (https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-0886)
Impact: A successful vulnerability exploitation enables an attacker to execute arbitrary code and get access to sensitive data, e.g. passwords of the compromised system. The vulnerability allows the attacker to intercept the initial RDP connection between a client and a remote-server. Then an attacker can relay user credentials to a target system and thus get complete Man in the Middle control over a session. A stolen session can be abused to run arbitrary code or commands on the target server on behalf of the user. In consequence for user sessions with sufficient privileges malicious code execution e.g. with local administrator privileges is enabled. This implies that an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
Mitigation: Customers using Pepperl+Fuchs HMI devices out of VisuNet RM*, VisuNet PC* or Box Thin Client BTC* product families should follow these guidelines: - Pepperl+Fuchs HMI devices running RM Shell 4 should be updated with RM Image 4 Security Patches 01/2017 to 05/2018 (18-33400C): https://www.pepperl-fuchs.com/cgi-bin/db/doci.pl/?ShowDocByDocNo=18-33400c - Pepperl+Fuchs HMI devices running RM Shell 5 should be updated with RM Image 5 Security: Windows Cumulative Security Patch 07/2018 (18-33624): https://www.pepperl-fuchs.com/cgi-bin/db/doci.pl/?ShowDocByDocNo=18-33624 - Pepperl+Fuchs HMI devices running Windows 7 or Windows 10 should be updated by using the Windows Update mechanism. - After deploying the patch all connected third-party clients or servers must use the latest version of the CredSSP protocol. Be aware of installing these patches, because security will be enforced by the update. Security by default restriction might result in an error due to encryption oracle remediation. Updates should be installed on both the server and the HMI device; otherwise, system compatibility might be influenced. This advisory will be updated as further details and/or software updates become available.
CVE-2018-0886

The Credential Security Support Provider protocol (CredSSP) in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1 and RT 8.1, Windows Server 2012 and R2, Windows 10 Gold, 1511, 1607, 1703, and 1709 Windows Server 2016 and Windows Server, version 1709 allows a remote code execution vulnerability due to how CredSSP validates request during the authentication process, aka "CredSSP Remote Code Execution Vulnerability".

7 (High)
CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE-287 - Improper Authentication
Mitigation Customers using Pepperl+Fuchs HMI devices out of VisuNet RM*, VisuNet PC* or Box Thin Client BTC* product families should follow these guidelines: - Pepperl+Fuchs HMI devices running RM Shell 4 should be updated with RM Image 4 Security Patches 01/2017 to 05/2018 (18-33400C): https://www.pepperl-fuchs.com/cgi-bin/db/doci.pl/?ShowDocByDocNo=18-33400c - Pepperl+Fuchs HMI devices running RM Shell 5 should be updated with RM Image 5 Security: Windows Cumulative Security Patch 07/2018 (18-33624): https://www.pepperl-fuchs.com/cgi-bin/db/doci.pl/?ShowDocByDocNo=18-33624 - Pepperl+Fuchs HMI devices running Windows 7 or Windows 10 should be updated by using the Windows Update mechanism. - After deploying the patch all connected third-party clients or servers must use the latest version of the CredSSP protocol. Be aware of installing these patches, because security will be enforced by the update. Security by default restriction might result in an error due to encryption oracle remediation. Updates should be installed on both the server and the HMI device; otherwise, system compatibility might be influenced. This advisory will be updated as further details and/or software updates become available.
References
Acknowledgments
CERT@VDE certvde.com
Preempt, Research Labs Roman Blachman Yaron Zinar Eyal Karni
To clipboard 

{
  "document": {
    "acknowledgments": [
      {
        "organization": "CERT@VDE",
        "summary": "coordination",
        "urls": [
          "https://certvde.com"
        ]
      },
      {
        "names": [
          "Roman Blachman",
          "Yaron Zinar",
          "Eyal Karni"
        ],
        "organization": "Preempt, Research Labs"
      }
    ],
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en-GB",
    "notes": [
      {
        "category": "summary",
        "text": "A remote code execution\u00a0vulnerability in the Microsoft\u0027s\u00a0Credential Security Support Provider protocol (CredSSP) was identified by security researchers. If exploited successfully, it is possible\u00a0to relay user credentials for arbitrary code execution on the target system.\nSee details on Microsoft Advisory CVE-2018-0866 (https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-0886)",
        "title": "Summary"
      },
      {
        "category": "description",
        "text": "A successful vulnerability exploitation enables an attacker to execute arbitrary code and get access to sensitive data, e.g. passwords of the compromised system. The vulnerability allows the attacker to intercept the initial RDP connection between a client and a remote-server. Then an attacker can relay user credentials to a target system and thus get complete Man in the Middle control over a session. A stolen session can be abused to run arbitrary code or commands on the target server on behalf of the user. In consequence for user sessions with sufficient privileges malicious code execution e.g. with local administrator privileges is enabled. This implies that an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.",
        "title": "Impact"
      },
      {
        "category": "description",
        "text": "Customers using Pepperl+Fuchs HMI devices out of VisuNet RM*, VisuNet PC* or Box Thin Client BTC* product families should follow these guidelines:\n\n- Pepperl+Fuchs HMI devices running RM Shell 4 should be updated with RM Image 4 Security Patches 01/2017 to 05/2018 (18-33400C): https://www.pepperl-fuchs.com/cgi-bin/db/doci.pl/?ShowDocByDocNo=18-33400c\n\n- Pepperl+Fuchs HMI devices running RM Shell 5 should be updated with RM Image 5 Security: Windows Cumulative Security Patch 07/2018 (18-33624): https://www.pepperl-fuchs.com/cgi-bin/db/doci.pl/?ShowDocByDocNo=18-33624\n\n- Pepperl+Fuchs HMI devices running Windows 7 or Windows 10 should be updated by using the Windows Update mechanism.\n\n- After deploying the patch all connected third-party clients or servers must use the latest version of the CredSSP protocol.\n\nBe aware of installing these patches, because security will be enforced by the update. Security by default restriction might result in an error due to encryption oracle remediation. Updates should be installed on both the server and the HMI device; otherwise, system compatibility might be influenced. \n\nThis advisory will be updated as further details and/or software updates become available.",
        "title": "Mitigation"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "cert@pepperl-fuchs.com",
      "name": "Pepperl+Fuchs SE",
      "namespace": "https://www.pepperl-fuchs.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "VDE-2018-008: Pepperl+Fuchs: Remote Code Execution Vulnerability in HMI Devices - HTML",
        "url": "https://certvde.com/en/advisories/VDE-2018-008/"
      },
      {
        "category": "self",
        "summary": "VDE-2018-008: Pepperl+Fuchs: Remote Code Execution Vulnerability in HMI Devices - CSAF",
        "url": "https://pepperl-fuchs.csaf-tp.certvde.com/.well-known/csaf/white/2018/vde-2018-008.json"
      },
      {
        "category": "external",
        "summary": "Vendor PSIRT",
        "url": "https://www.pepperl-fuchs.com"
      },
      {
        "category": "external",
        "summary": "CERT@VDE Security Advisories for Pepperl+Fuchs SE",
        "url": "https://certvde.com/en/advisories/vendor/pepperl-fuchs/"
      }
    ],
    "title": "Pepperl+Fuchs: Remote Code Execution Vulnerability in HMI Devices",
    "tracking": {
      "aliases": [
        "VDE-2018-008"
      ],
      "current_release_date": "2018-07-06T13:37:00.000Z",
      "generator": {
        "date": "2025-04-23T08:36:18.804Z",
        "engine": {
          "name": "Secvisogram",
          "version": "2.5.23"
        }
      },
      "id": "VDE-2018-008",
      "initial_release_date": "2018-07-06T13:37:00.000Z",
      "revision_history": [
        {
          "date": "2018-07-06T13:37:00.000Z",
          "number": "1",
          "summary": "Initial revision."
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Box Thin Client BTC*",
                "product": {
                  "name": "Box Thin Client BTC*",
                  "product_id": "CSAFPID-11001"
                }
              },
              {
                "category": "product_name",
                "name": "VisuNet PC*",
                "product": {
                  "name": "VisuNet PC*",
                  "product_id": "CSAFPID-11002"
                }
              },
              {
                "category": "product_name",
                "name": "VisuNet RM*",
                "product": {
                  "name": "VisuNet RM*",
                  "product_id": "CSAFPID-11003"
                }
              }
            ],
            "category": "product_family",
            "name": "Hardware"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "vers:all/*",
                "product": {
                  "name": "Firmware vers:all/*",
                  "product_id": "CSAFPID-21001"
                }
              }
            ],
            "category": "product_family",
            "name": "Firmware"
          }
        ],
        "category": "vendor",
        "name": "Pepperl+Fuchs"
      }
    ],
    "product_groups": [
      {
        "group_id": "CSAFGID-0001",
        "product_ids": [
          "CSAFPID-31001",
          "CSAFPID-31002",
          "CSAFPID-31003"
        ],
        "summary": "Affected products."
      }
    ],
    "relationships": [
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Firmware vers:all/* installed on Box Thin Client BTC*",
          "product_id": "CSAFPID-31001"
        },
        "product_reference": "CSAFPID-21001",
        "relates_to_product_reference": "CSAFPID-11001"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Firmware vers:all/* installed on VisuNet PC*",
          "product_id": "CSAFPID-31002"
        },
        "product_reference": "CSAFPID-21001",
        "relates_to_product_reference": "CSAFPID-11002"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Firmware vers:all/* installed on VisuNet RM*",
          "product_id": "CSAFPID-31003"
        },
        "product_reference": "CSAFPID-21001",
        "relates_to_product_reference": "CSAFPID-11003"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2018-0886",
      "cwe": {
        "id": "CWE-287",
        "name": "Improper Authentication"
      },
      "notes": [
        {
          "category": "description",
          "text": "The Credential Security Support Provider protocol (CredSSP) in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1 and RT 8.1, Windows Server 2012 and R2, Windows 10 Gold, 1511, 1607, 1703, and 1709 Windows Server 2016 and Windows Server, version 1709 allows a remote code execution vulnerability due to how CredSSP validates request during the authentication process, aka \"CredSSP Remote Code Execution Vulnerability\".",
          "title": "Vulnerability Description"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-31001",
          "CSAFPID-31002",
          "CSAFPID-31003"
        ]
      },
      "remediations": [
        {
          "category": "mitigation",
          "details": "Customers using Pepperl+Fuchs HMI devices out of VisuNet RM*, VisuNet PC* or Box Thin Client BTC* product families should follow these guidelines:\n\n- Pepperl+Fuchs HMI devices running RM Shell 4 should be updated with RM Image 4 Security Patches 01/2017 to 05/2018 (18-33400C): https://www.pepperl-fuchs.com/cgi-bin/db/doci.pl/?ShowDocByDocNo=18-33400c\n\n- Pepperl+Fuchs HMI devices running RM Shell 5 should be updated with RM Image 5 Security: Windows Cumulative Security Patch 07/2018 (18-33624): https://www.pepperl-fuchs.com/cgi-bin/db/doci.pl/?ShowDocByDocNo=18-33624\n\n- Pepperl+Fuchs HMI devices running Windows 7 or Windows 10 should be updated by using the Windows Update mechanism.\n\n- After deploying the patch all connected third-party clients or servers must use the latest version of the CredSSP protocol.\n\nBe aware of installing these patches, because security will be enforced by the update. Security by default restriction might result in an error due to encryption oracle remediation. Updates should be installed on both the server and the HMI device; otherwise, system compatibility might be influenced. \n\nThis advisory will be updated as further details and/or software updates become available.",
          "group_ids": [
            "CSAFGID-0001"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 7,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "environmentalScore": 7,
            "environmentalSeverity": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "temporalScore": 7,
            "temporalSeverity": "HIGH",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.0"
          },
          "products": [
            "CSAFPID-31001",
            "CSAFPID-31002",
            "CSAFPID-31003"
          ]
        }
      ],
      "title": "CVE-2018-0886"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.