close
close

Microsoft warns of increased risk in Rockwell Automation PanelView Plus CVE

Posted on by darion

Brief description of the dive:

  • On Tuesday, Microsoft researchers warned that Rockwell Automation PanelView Plus Critical Vulnerabilities could be exploited by unauthenticated attackers, exposing devices to the risk of remote code execution and denial of service. The vulnerabilities were originally disclosed and patched in late 2023.
  • PanelView Plus devices are human-machine interfaces that are widely used in industrial environments, and malicious control of these devices could lead to jamming attacks. The remote code execution vulnerability listed as CVE-2023-2071has a CVSS score of 9.8. A denial of service vulnerability listed as CVE-2023-29464has a CVSS score of 8.2.
  • Microsoft first discovered the vulnerabilities and shared its findings with Rockwell Automation in May and July 2023. Rockwell Automation has published security advisories and patches for the CVE vulnerabilities in September AND October 2023Microsoft researchers urged users to apply patches and other mitigations.

Diving Insight:

The remote code execution vulnerability in PanelView Plus involves two custom classes that can be used to upload a malicious DLL to a device, according to Microsoft. The denial of service vulnerability also uses a custom class, but in this case a crafted buffer is sent. The device cannot handle the uploaded buffer, leading to a denial of service.

The Microsoft Defender for IoT research team discovered what they describe as a suspicious remote registry query. Two devices were communicating using a common industrial protocol, but researchers noted a lack of encryption and no prior authentication.

“Further investigation revealed that the requesting device was an engineering workstation and the responding device was a (human-machine interface) – specifically, a PanelView Plus,” researchers wrote in a blog post.

Yuval Gordon, Microsoft Security Researcheris credited with discovering the security flaws.

Active exploitation of the vulnerabilities has not been confirmed. Federal officials Industrial suppliers were previously called upon to strengthen cyber hygiene practices as hacktivists target human-machine interfaces, attacking critical infrastructure and other targets with weak passwords and without multi-factor authentication.

Rockwell Automation in May urged customers to disconnect from the internetciting heightened geopolitical tensions. The public warning included references to several CVEs, including several related to the FactoryTalk services platform.

A Rockwell spokesman said the company could not comment on the disclosed information.