Pepperl+Fuchs has informed customers that some of its human-machine interface (HMI) products are vulnerable to the recently disclosed Meltdown and Spectre attack methods.
The Germany-based industrial automation company said its VisuNet and Box Thin Client HMI devices rely on Intel CPUs, which makes them vulnerable to Meltdown and Spectre attacks. The list of affected products includes VisuNet RM, VisuNet PC, and Box Thin Client BTC.
Pepperl+Fuchs told [email protected], the German counterpart of ICS-CERT, that the impacted devices are designed for use on industrial control systems (ICS) networks, and they should be isolated from the enterprise network and not directly accessible from the Internet.
“Additionally, VisuNet HMI devices use a kiosk mode for normal operation. Within this mode access policies of thin client based VisuNet Remote Monitors and Box Thin Clients are restricted, such that users can only access predefined servers,” [email protected] said in its advisory. “This implies that outgoing connections and local software installations have to be configured by administrators. Hence, operators are restricted in a way such that they can only use the system as configured by administrators.”
The vendor says these measures should greatly reduce the risk of attacks. However, if direct Internet access is allowed and a user is tricked into visiting a malicious website, an attacker may be able to execute arbitrary code and obtain data from the HMI device’s memory, including passwords.
Pepperl+Fuchs has released some updates that include the Windows patches for Meltdown and Spectre provided by Microsoft. However, the vendor has warned customers that the fixes could have a negative impact on performance and stability.
Both the patches from Intel and Microsoft have been known to cause problems, but the companies have been working on addressing existing issues.
Pepperl+Fuchs is not the only ICS vendor to inform customers that its products are vulnerable to Meltdown and Spectre attacks. Shortly after the flaws were disclosed, Rockwell Automation, Siemens, Schneider Electric and ABB published advisories on the topic.
More recently, advisories were also published by General Electric and Emerson, but the information is only available to customers that have registered an account on their websites.
The Meltdown and Spectre attacks allow malicious applications to bypass memory isolation mechanisms and access sensitive data stored in memory. Researchers warned recently that malicious actors appear to have already started working on malware designed to exploit the flaws.