2

A few weeks ago, I have been replacing and managing IT inventory. What caught my attention, was that a lot of thin clients are still running Windows XP Embedded SP2.

That made me think about the possible vulnerabilities since those thin clients won't be replaced unless there is a valid reason to do that (e.g. stopped working or has various security issues).

What are the risks of still using those thin clients and should I replace them as soon as possible?

SP-Brown
  • 73
  • 7

2 Answers2

2

There are 625 relatively serious Windows XP SP2 vulnerabilities listed: https://www.cvedetails.com/vulnerability-list/vendor_id-26/product_id-739/cvssscoremin-5/cvssscoremax-10/Microsoft-Windows-Xp.html

I'm not sure how many are unresolved in the latest available security updates.

Either way using an OS unsupported by the vendor is playing with wet dynamite.

Alain O'Dea
  • 1,615
  • 9
  • 13
  • Sadly, the thin clients haven't been updated or patched since the general consensus was that they were already heavily restricted. Is there a way to show how vulnerable the thin clients are? That would prove (to a certain degree) how serious the security issues really are. – SP-Brown Sep 25 '15 at 14:11
  • Replacing the thin clients has a cost. A breach related to them has a project cost equal to the cost of breach multiplied by the probability. If the replacement cost exceeds that then replacing them doesn't make business sense. I think you need a business case not a technical case. Research breaches related to thin clients and their costs. Were any in your industrt at similar sized organizations? – Alain O'Dea Sep 25 '15 at 14:37
  • The only business case I can think of are ones that include the purchase of software that was required due to certain prerequisites of a said software. But I predict that the need for a solid business case is required because most of the IT assets are going to need a replacement. I am going to do some research regarding the costs and effects of replacing several IT assets. – SP-Brown Sep 25 '15 at 14:52
1

XP supports TLS 1.0, SSL 3.0 and does not support TLS 1.1 and TLS 1.2.

Unfortunately TLS 1.0 is susceptible to BEAST attack and the SSL 3 is susceptible to POODLE attack. don't even bother with the other older SSL protocols.

not a good time to hold on to XP.

JOW
  • 2,319
  • 2
  • 16
  • 24
  • Thanks for the information regarding XP's support of TLS! In general, the thin clients (HP T5730) are not being updated since the mindset was that 'You can connect it to the network and leave it there'. But the fact that it would be sitting there and not be updated, makes me a bit nervous. I will try to discuss the possible security issues so that I can replace them soon. – SP-Brown Sep 25 '15 at 14:01
  • *Desktop* XP got the "fragment 1/n" defense which kills BEAST at MS12-006 Jan. 2012, but I was on SP3 by then so I can't testify to SP2. I aso recall XP-SP3 (had) added SHA256withRSA signatures, which is very soon mandatory for servers, while Server2003-SP2 required a manual hotfix. I don't know if desktop reliably translates to Embedded, but you can test for 1/n with some trivial programs or just Wireshark. Although if you leave 1.0 open on server(s), you can't prevent and might not notice *really* lame client(s) coming in without 1/n, which could be a real risk. – dave_thompson_085 Sep 25 '15 at 22:36