Security Advisory – Multiple Vulnerabilities in B&R Industrial PCs and HMI Products Identified

B&R has identified several vulnerabilities affecting a range of its industrial PCs and HMI products. The reported vulnerabilities are associated with four CVE IDs: CVE-2023-5058, CVE-2023-39538, CVE-2023-39539, and CVE-2023-40238. These issues arise from the use of third-party BIOS firmware that can potentially allow attackers to disrupt system operations or execute arbitrary code during the boot process, particularly in the Driver Execution Environment (DXE).

Affected Products:
The vulnerabilities impact several B&R product lines including APC2200, APC3100, APC4100, APC910, C80, MPC3100, PPC1200, PPC2200, PPC3100, and PPC900, each up to certain firmware versions.

Details of Specific Vulnerabilities:

  • CVE-2023-5058: Related to improper input validation during system boot, potentially allowing denial-of-service or arbitrary code execution.
  • CVE-2023-39538 and CVE-2023-39539: Both involve improper validation of image files used during boot, potentially compromising system confidentiality, integrity, and availability.
  • CVE-2023-40238: An integer signedness error can occur during the processing of compressed BMP logo files, leading to potential disruptions.

Mitigation and Security Measures:
For non-exploitable devices, B&R ensures that BIOS images must be signed, and only JPG boot logos are used. Specific products such as APC4100 and PPC900 have patches and updates to mitigate these vulnerabilities. B&R has outlined that to exploit these vulnerabilities, physical access to the system is necessary.

End-users are advised to ensure their systems are updated with the latest security patches and follow B&R’s security recommendations, including isolating special purpose networks and ensuring physical controls to prevent unauthorized access.

Additional Information:
The company has not received any reports of these vulnerabilities being exploited in the wild. They continue to monitor the situation and provide updates as necessary.

Source URL: