Microsoft for the Industrial Sector: Patching Rockwell PanelView Plus Products

As part of its efforts to secure critical infrastructure environments that rely on operational technology (OT) and Internet of Things (IoT) devices, Microsoft on July 2 published research results regarding two bugs found in Rockwell Automation PanelView Plus products that could lead to remote code execution (RCE) and denial of service (DoS) attacks.

Microsoft said that a critical (9.8) RCE vulnerability – CVE-2023-2071 – in PanelView Plus could potentially allow attackers to abuse it to upload and load a malicious DLL onto a device. And a high-severity DoS bug (8.2) – CVE-2023-29464 – could allow an attacker to send a crafted buffer that the device is unable to handle, overloading the device and leading to a DoS.

Rockwell Automation’s PanelView Plus devices are graphical terminals that are widely used in the industrial sector to monitor and control applications on machines and systems in industrial environments. Microsoft said the flaws could significantly impact organizations using the affected devices because attackers could exploit the vulnerabilities to remotely execute code and disrupt operations.

Microsoft said it disclosed two vulnerabilities to Rockwell Automation last spring and summer, and Rockwell Automation issued a patch last fall. Given the continued threats to critical infrastructure that the industry has faced this year, Microsoft encouraged security teams at manufacturing plants to make the patches.

“Remote access to industrial environments by third parties for maintenance purposes is often considered a weakness in cybersecurity programs and is often exploited by cybercriminals as an easy entry point,” said Isabelle Dumont, Chief Marketing Officer at DeNexus.

Dumont said that owners of physical assets in critical infrastructure should have a clear map of remote access points, facility by facility, to begin to understand and quantify the risk of poor security management of those assets. Then, Dumont said, they can ensure that appropriate security controls are in place by using traditional security best practices from the IT world: multi-factor authentication, strong passwords and strict access configuration.

Mayuresh Dani, Security Research Manager at Qualys, added that while both vulnerabilities target the same Common Industrial Protocol (CIP) class, the RCE flaw is more significant as it potentially allows unauthenticated remote attackers to upload malicious DLLs and execute arbitrary code.