Important announcement to customers who using Remote Desktop Service (RDS) with Smart portal SP5000 Series Open BOX module

NoteCyber Security

2 March 2020

Thank you very much for your continuous use of Pro-face products.

Schneider Electric Japan Holdings offers with special or specific recommendations applicable to this vulnerability are listed below. As a general recommendation from Schneider Electric Japan Holdings, we advise customers to refer immediately to Microsoft’s Security Update Guide for further information and guidance for any affected systems that may or may not serve as a runtime environment for Schneider Electric Japan Holdings software and services. Microsoft warns that this vulnerability is wormable and all affected systems should be updated as soon as possible.

Customers should proceed with caution when applying these patches to critical operating systems and/or performance-constrained systems. We strongly recommend evaluating the impact of these patches in a Test and Development environment or on an offline infrastructure.

Downloads for in-support versions of Windows can be found in the Microsoft Security Update Guide. Customers who use an in-support version of Windows and have automatic updates enabled are protected once the patches are applied. Microsoft recommends that Windows 2003 and Windows XP users should further consider upgrading to the latest version of Windows to protect themselves from this vulnerability. Fixes have been made available by Microsoft for these out-of-support versions of Windows in KB4500705

Schneider Electric Japan Holdings continues to monitor and track vendor research into this vulnerability.

Please refer to this link for more Information on the Microsoft RDS Vulnerability
https://www.schneider-electric.com/en-us/download/document/SESB-2019-136-02/

Vulnerability Details

CVE ID: CVE-2019-0708
CVSS v3.0 Base Score 9.8 | (Critical) | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

A remote code execution vulnerability exists in Remote Desktop Services formerly known as Terminal Services when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests, aka 'Remote Desktop Services Remote Code Execution Vulnerability.

Affected products

Smart Portal

Product NameSP5000 Series
Product ModuleOpen BOX Module (SP-5B40, SP-5B41)

Recommended Measures

Apply Security Patch provided by Microsoft for existing install base at
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708

General Security Recommendations

We strongly recommend following industry cybersecurity best practices such as:
  • Locate control and safety system networks and remote devices behind firewalls, and isolate them from the business network.
  • Physical controls should be in place so that no unauthorized person would have access to the ICS and safety controllers, peripheral equipment or the ICS and safety networks.
  • All controllers should reside in locked cabinets and never be left in the “Program” mode.
  • All programming software should be kept in locked cabinets and should never be connected to any network other than the network for the devices that it is intended.
  • All methods of mobile data exchange with the isolated network such as CDs, USB drives, etc. should be scanned before use in the terminals or any node connected to these networks.
  • Laptops that have connected to any other network besides the intended network should never be allowed to connect to the safety or control networks without proper sanitation.
  • Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

For more information

This document provides an overview of the identified vulnerability or vulnerabilities and actions required to mitigate. For more details and assistance on how to protect your installation, please contact your local Schneider Electric Japan Holdings representative and/or Schneider Electric Industrial Cybersecurity Services. These organizations will be fully aware of this situation and can support you through the process.

http://www2.schneider-electric.com/sites/corporate/en-us/support/cybersecurity/cybersecurity.page https://www.schneider-electric.com/en-us/work/services/field-services/industrial-automation/industrialcybersecurity/industrial-cybersecurity.jsp

Legal Disclaimer
THIS DOCUMENT IS INTENDED TO HELP PROVIDE AN OVERVIEW OF THE IDENTIFIED SITUATION AND SUGGESTED MITIGATION ACTIONS, REMEDIATION, FIX, AND/OR GENERAL SECURITY RECOMMENDATIONS AND IS PROVIDED ON AN “AS-IS” BASIS WITHOUT WARRANTY OF ANY KIND.  SCHNEIDER ELECTRIC JAPAN HOLDINGS DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL SCHNEIDER ELECTRIC JAPAN HOLDINGS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF SCHNEIDER ELECTRIC JAPAN HOLDINGS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. THE USE OF THIS NOTIFICATION, INFORMATION CONTAINED HEREIN, OR MATERIALS LINKED TO IT ARE AT YOUR OWN RISK. SCHNEIDER ELECTRIC JAPAN HOLDINGS RESERVES THE RIGHT TO UPDATE OR CHANGE THIS NOTIFICATION AT ANY TIME AND IN ITS SOLE DISCRETION.

Inquiry

If you have any inquiries, please contact our sales office in your region.
For contact information, please refer to the "Inquiry" page.