Important announcement to customers who using Remote Desktop Service (RDS) with PS5000 Series and PS4000 Series and PE4000B Series

1 May 2020

Thank you very much for your continuous use of Pro-face products.

Pro-face offers with special or specific recommendations applicable to this vulnerability are listed below. As a general recommendation from Pro-face, we advise customers to refer immediately to Microsoft’s Security Update Guide for further information and guidance for any affected systems that may or may not serve as a runtime environment for Pro-face software and services. Microsoft warns that this vulnerability is wormable and all affected systems should be updated as soon as possible.

Customers should proceed with caution when applying these patches to critical operating systems and/or performance-constrained systems. We strongly recommend evaluating the impact of these patches in a Test and Development environment or on an offline infrastructure.

Downloads for in-support versions of Windows can be found in the Microsoft Security Update Guide. Customers who use an in-support version of Windows and have automatic updates enabled are protected once the patches are applied. Microsoft recommends that Windows 2003 and Windows XP users should further consider upgrading to the latest version of Windows to protect themselves from this vulnerability. Fixes have been made available by Microsoft for these out-of-support versions of Windows in KB4500705. 

Pro-face continues to monitor and track vendor research into this vulnerability.
Affected OS:

• Windows XP (SP3 x86/Professional x64 Edition SP2) /Windows XP Embedded SP3 x86
• Windows 7 SP1(x86/x64)/Windows Embedded Standard 7
• Windows Server 2003 SP2(x86/x64)
• Windows Server 2008 SP2(x86/x64)
• Windows Server 2008 R2 SP1 x64
• Windows Embedded Standard 2009

※No abnormality occurs on Windows® 8, Windows® 10

Please refer to this link for more Information on the Microsoft RDS Vulnerability
https://www.schneider-electric.com/en/download/document/SESB-2019-136-02/

Vulnerability Details

CVE ID: CVE-2019-0708
CVSS v3.0 Base Score 9.8 | (Critical) | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

A remote code execution vulnerability exists in Remote Desktop Services formerly known as Terminal Services when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests, aka 'Remote Desktop Services Remote Code Execution Vulnerability. 

Affected products

Please apply the security patch provided by Microsoft according to the OS being used
The OSs we have lined up are as follows.

Industrial Personal Computer (IPC):

Recommended Measures

Apply Security Patch provided by Microsoft for existing install base at
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708

If you cannot find a security patch for your product, please contact our sales office in your region

General Security Recommendations

We strongly recommend following industry cybersecurity best practices such as:

• Locate control and safety system networks and remote devices behind firewalls, and isolate them from the business network.
• Physical controls should be in place so that no unauthorized person would have access to the ICS and safety controllers, peripheral equipment or the ICS and safety networks.
• All controllers should reside in locked cabinets and never be left in the “Program” mode.
• All programming software should be kept in locked cabinets and should never be connected to any network other than the network for the devices that it is intended.
• All methods of mobile data exchange with the isolated network such as CDs, USB drives, etc. should be scanned before use in the terminals or any node connected to these networks.
• Laptops that have connected to any other network besides the intended network should never be allowed to connect to the safety or control networks without proper sanitation.
• Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
• When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

For more information

This document provides an overview of the identified vulnerability or vulnerabilities and actions required to mitigate. For more details and assistance on how to protect your installation, please contact your local Pro-face representative and/or Schneider Electric Industrial Cybersecurity Services. These organizations will be fully aware of this situation and can support you through the process.

http://www2.schneider-electric.com/sites/corporate/en/support/cybersecurity/cybersecurity.page
https://www.schneider-electric.com/en/work/services/field-services/industrial-automation/industrialcybersecurity/industrial-cybersecurity.jsp

Legal Disclaimer
THIS DOCUMENT IS INTENDED TO HELP PROVIDE AN OVERVIEW OF THE IDENTIFIED SITUATION AND SUGGESTED MITIGATION ACTIONS, REMEDIATION, FIX, AND/OR GENERAL SECURITY RECOMMENDATIONS AND IS PROVIDED ON AN “AS-IS” BASIS WITHOUT WARRANTY OF ANY KIND.  PRO-FACE DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL SCHNEIDER ELECTRIC JAPAN HOLDINGS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF SCHNEIDER ELECTRIC JAPAN HOLDINGS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. THE USE OF THIS NOTIFICATION, INFORMATION CONTAINED HEREIN, OR MATERIALS LINKED TO IT ARE AT YOUR OWN RISK. PRO-FACE RESERVES THE RIGHT TO UPDATE OR CHANGE THIS NOTIFICATION AT ANY TIME AND IN ITS SOLE DISCRETION.

Inquiry

If you have any inquiries, please contact our sales office in your region.
For contact information, please refer to the "Inquiry" page.