Beckhoff Embedded PC Images and TwinCAT Components Vulnerabilities

CVEs (2)

Remediations

• Beckhoff recommends in their IPC Security Manual (https://download.beckhoff.com/download/Document/ipc/industrial-pc/ipc_security_en.pdf) to use network and software firewalls to block all network ports except the ones that are needed. Beckhoff also recommends that default passwords be changed during commissioning before connecting systems to the network.
• In their advisories: Advisory 2014-001, Advisory 2014-001: Potential misuse of several administrative services, (https://download.beckhoff.com/download/document/product-security/Advisories/advisory-2014-001.pdf),
• Advisory 2014-002, Advisory 2014-002: ADS communication port allows password bruteforce, (https://download.beckhoff.com/download/document/product-security/Advisories/advisory-2014-002.pdf),
• Advisory 2014-003, Advisory2014-003: Recommendation to change default passwords, (https://download.beckhoff.com/download/document/product-security/Advisories/advisory-2014-003.pdf)
• which were published November 17, 2014 for these issues.
• Beckhoff also recommends the following mitigation solutions: Update images to build October 22, 2014, or newer, which solve these problems by disabling the services by default. Disable the Windows CE Remote Configuration Tool by deleting the subtree “/remoteadmin.” The configuration of the web server paths can be found in the Windows registry at the path “HKEY_LOCAL_MACHINE\COMM\HTTPD\VROOTS\.” Disable startup of CE Remote Display service (cerdisp.exe) with deleting the registry key containing the “CeRDisp.exe” [-HKEY_LOCAL_MACHINE\init\Launch90]. Disable telnet by setting the registry key [HKEY_LOCAL_MACHINE\Services\TELNETD\Flags] to dword: 4, Restrict ADS communication to trusted networks only.

Affected Vendors

Affected Products (3)