PEPPERL+FUCHS VisuNet RM, VisuNet PC, and Box Thin Client
Act Now7.5ICS-CERT ICSA-18-198-03Jul 17, 2018
Attack VectorNetwork
Auth RequiredNone
ComplexityHigh
User InteractionRequired
Summary
Pepperl+Fuchs VisuNet RM, VisuNet PC, and Box Thin Client (BTC) devices contain authentication and encryption vulnerabilities related to the CredSSP protocol. Successful exploitation could allow an attacker who has network proximity to intercept sensitive communications, perform man-in-the-middle attacks, obtain administrator privileges, and execute remote code on affected HMI devices. The vulnerability stems from weak credential delegation and encryption oracle issues in the CredSSP implementation.
What this means
What could happen
An attacker on the same network segment could intercept communications between HMI devices and clients, gain administrative access, and execute commands on plant visualization and control systems. This could allow alteration of displayed process data, modification of device configurations, or disruption of operator visibility into plant operations.
Who's at risk
Water and electric utilities operating Pepperl+Fuchs VisuNet RM, VisuNet PC, or Box Thin Client (BTC) HMI devices should be concerned. These devices are used for process visualization and control in SCADA and industrial automation environments. Operators and engineers accessing these HMI systems are at risk of credential interception and system compromise if their devices run affected versions of RM Shell 4, RM Shell 5, Windows 7, or Windows 10 without the latest security patches.
How it could be exploited
An attacker with network access to the same segment as an HMI device can intercept CredSSP protocol communications during authentication. By exploiting encryption oracle weaknesses, the attacker can extract credentials or establish a man-in-the-middle position. This grants administrative access to the device, enabling remote code execution and full system compromise. The attack requires the attacker to be positioned on the network path between the HMI device and its clients (e.g., same plant network, VPN, or compromised intermediate system).
Prerequisites
- Network access to the same network segment as the HMI device or ability to intercept traffic between HMI device and client
- Presence of a client attempting to connect using CredSSP protocol
- High skill level required to craft man-in-the-middle attack and exploit encryption oracle
- Knowledge of CredSSP protocol vulnerabilities and encryption weaknesses
high EPSS score (91.5% exploit probability)no patch available for some product versionsaffects HMI/visualization systems in critical infrastructurerequires network proximity but not direct Internet accessencryption oracle vulnerability enables credential extractionimpacts Windows-based industrial devices with limited update mechanisms
Exploitability
High exploit probability (EPSS 91.5%)
Affected products (3)
3 with fix
ProductAffected VersionsFix Status
VisuNet PC: All modelsAll versionsWindows CVE-2018-0866 CredSSP patch via Windows Update
VisuNet RM: All modelsAll versionsRM Image 4 Security Patches 01/2017 to 05/2018 (18-33400C) for RM Shell 4; RM Image 5 Security: Windows Cumulative Security Patch 07/2018 (18-33624) for RM Shell 5
Box Thin Client BTC: All modelsAll versionsRM Image 4 Security Patches 01/2017 to 05/2018 (18-33400C) for RM Shell 4; Windows CVE-2018-0866 CredSSP patch via Windows Update
Remediation & Mitigation
0/7
Schedule — requires maintenance window
0/4Patching may require device reboot — plan for process interruption
HOTFIXUpdate VisuNet RM devices running RM Shell 4 with security patches 01/2017 to 05/2018 (patch package 18-33400C)
HOTFIXUpdate VisuNet RM devices running RM Shell 5 with Windows Cumulative Security Patch 07/2018 (patch package 18-33624)
HOTFIXUpdate Windows 7 and Windows 10 operating systems on all affected HMI devices using Windows Update to address underlying CredSSP vulnerability (CVE-2018-0866)
HOTFIXEnsure all connected third-party clients and servers use the latest version of CredSSP protocol after deploying patches
Long-term hardening
0/3HARDENINGIsolate HMI device networks behind firewalls and ensure devices are not directly accessible from the Internet
HARDENINGSegregate HMI control system networks from business networks using network segmentation
HARDENINGUse secure remote access methods such as VPNs when remote access to HMI devices is required, and keep VPN software updated
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/4f1a4ffa-7451-4867-a02b-2e0071cc8266