Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Protection

Pepperl+Fuchs HMIs Vulnerable to Meltdown, Spectre Attacks

Pepperl+Fuchs has informed customers that some of its human-machine interface (HMI) products are vulnerable to the recently disclosed Meltdown and Spectre attack methods.

Pepperl+Fuchs has informed customers that some of its human-machine interface (HMI) products are vulnerable to the recently disclosed Meltdown and Spectre attack methods.

The Germany-based industrial automation company said its VisuNet and Box Thin Client HMI devices rely on Intel CPUs, which makes them vulnerable to Meltdown and Spectre attacks. The list of affected products includes VisuNet RM, VisuNet PC, and Box Thin Client BTC.

Pepperl+Fuchs told [email protected], the German counterpart of ICS-CERT, that the impacted devices are designed for use on industrial control systems (ICS) networks, and they should be isolated from the enterprise network and not directly accessible from the Internet.

“Additionally, VisuNet HMI devices use a kiosk mode for normal operation. Within this mode access policies of thin client based VisuNet Remote Monitors and Box Thin Clients are restricted, such that users can only access predefined servers,” [email protected] said in its advisory. “This implies that outgoing connections and local software installations have to be configured by administrators. Hence, operators are restricted in a way such that they can only use the system as configured by administrators.”

The vendor says these measures should greatly reduce the risk of attacks. However, if direct Internet access is allowed and a user is tricked into visiting a malicious website, an attacker may be able to execute arbitrary code and obtain data from the HMI device’s memory, including passwords.

Pepperl+Fuchs has released some updates that include the Windows patches for Meltdown and Spectre provided by Microsoft. However, the vendor has warned customers that the fixes could have a negative impact on performance and stability.

Both the patches from Intel and Microsoft have been known to cause problems, but the companies have been working on addressing existing issues.

Pepperl+Fuchs is not the only ICS vendor to inform customers that its products are vulnerable to Meltdown and Spectre attacks. Shortly after the flaws were disclosed, Rockwell Automation, Siemens, Schneider Electric and ABB published advisories on the topic.

More recently, advisories were also published by General Electric and Emerson, but the information is only available to customers that have registered an account on their websites.

The Meltdown and Spectre attacks allow malicious applications to bypass memory isolation mechanisms and access sensitive data stored in memory. Researchers warned recently that malicious actors appear to have already started working on malware designed to exploit the flaws.

Related: Pepperl+Fuchs Ecom Rugged Devices Exposed to KRACK Attacks

Related: HP, Dell Halt BIOS Updates Over Buggy CPU Patches

Related: IBM Releases Spectre, Meltdown Patches for Power Systems

Related: Industry Reactions to Meltdown, Spectre Attacks

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.

Register

Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Protection

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Vulnerabilities

Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.