Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Protection

Pepperl+Fuchs HMIs Vulnerable to Meltdown, Spectre Attacks

Pepperl+Fuchs has informed customers that some of its human-machine interface (HMI) products are vulnerable to the recently disclosed Meltdown and Spectre attack methods.

Pepperl+Fuchs has informed customers that some of its human-machine interface (HMI) products are vulnerable to the recently disclosed Meltdown and Spectre attack methods.

The Germany-based industrial automation company said its VisuNet and Box Thin Client HMI devices rely on Intel CPUs, which makes them vulnerable to Meltdown and Spectre attacks. The list of affected products includes VisuNet RM, VisuNet PC, and Box Thin Client BTC.

Pepperl+Fuchs told CERT@VDE, the German counterpart of ICS-CERT, that the impacted devices are designed for use on industrial control systems (ICS) networks, and they should be isolated from the enterprise network and not directly accessible from the Internet.

“Additionally, VisuNet HMI devices use a kiosk mode for normal operation. Within this mode access policies of thin client based VisuNet Remote Monitors and Box Thin Clients are restricted, such that users can only access predefined servers,” CERT@VDE said in its advisory. “This implies that outgoing connections and local software installations have to be configured by administrators. Hence, operators are restricted in a way such that they can only use the system as configured by administrators.”

The vendor says these measures should greatly reduce the risk of attacks. However, if direct Internet access is allowed and a user is tricked into visiting a malicious website, an attacker may be able to execute arbitrary code and obtain data from the HMI device’s memory, including passwords.

Pepperl+Fuchs has released some updates that include the Windows patches for Meltdown and Spectre provided by Microsoft. However, the vendor has warned customers that the fixes could have a negative impact on performance and stability.

Both the patches from Intel and Microsoft have been known to cause problems, but the companies have been working on addressing existing issues.

Pepperl+Fuchs is not the only ICS vendor to inform customers that its products are vulnerable to Meltdown and Spectre attacks. Shortly after the flaws were disclosed, Rockwell Automation, Siemens, Schneider Electric and ABB published advisories on the topic.

Advertisement. Scroll to continue reading.

More recently, advisories were also published by General Electric and Emerson, but the information is only available to customers that have registered an account on their websites.

The Meltdown and Spectre attacks allow malicious applications to bypass memory isolation mechanisms and access sensitive data stored in memory. Researchers warned recently that malicious actors appear to have already started working on malware designed to exploit the flaws.

Related: Pepperl+Fuchs Ecom Rugged Devices Exposed to KRACK Attacks

Related: HP, Dell Halt BIOS Updates Over Buggy CPU Patches

Related: IBM Releases Spectre, Meltdown Patches for Power Systems

Related: Industry Reactions to Meltdown, Spectre Attacks

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

Shane Barney has been appointed CISO of password management and PAM solutions provider Keeper Security.

Edge Delta has appointed Joan Pepin as its Chief Information Security Officer.

Vats Srivatsan has been appointed interim CEO of WatchGuard after Prakash Panjwani stepped down.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.