Microsoft discloses vulnerabilities in Rockwell PanelView Plus devices that could allow remote code execution

Software giant Microsoft has identified and responsibly disclosed two vulnerabilities in Rockwell Automation PanelView Plus that could be remotely exploited by unauthenticated attackers, allowing them to cause remote code execution (RCE) and denial of service (DoS). The RCE vulnerability in PanelView Plus involves two custom classes that can be exploited to upload and load a malicious DLL to the device. The DoS vulnerability uses the same custom class to send a crafted buffer that the device is unable to properly handle, leading to DoS.

Rockwell has issued two warnings and released security patches in September and October 2023. Microsoft said the Rockwell Automation product security team should be commended for its quick response to the issue. PanelView Plus customers are strongly advised to apply these security patches.

PanelView Plus devices are graphical terminals, also known as human-machine interfaces (HMIs), used in the industrial space. These vulnerabilities could significantly impact organizations that use the affected devices, as attackers could exploit these vulnerabilities to remotely execute code and disrupt operations.

“One of the primary responsibilities of the Microsoft Defender for IoT research team is to ensure that the product properly analyzes various operational technology (OT) and Internet of Things (IoT) protocols,” Microsoft researchers detailed in a blog post. “During this process, we observed a legitimate packet capture of two devices communicating using the Common Industrial Protocol (CIP), with one device sending a request containing the path to a registry value named ‘ProductCode,’ and the other device responding with what appeared to be the product code value.”

CIP is an industrial protocol designed for industrial automation applications. Various vendors in the industrial sector use this protocol, and the communication we observed was over Ethernet/IP, a protocol that adapts CIP to standard Ethernet.

In addition, the lack of encryption and prior authentication in the communication were of concern, as it appeared to involve a remote registry query. Further investigation revealed that the requesting device was an engineering workstation, and the responding device was an HMI—specifically, a PanelView Plus.

“We hypothesized that this remote registry query functionality could be abused by querying system keys to access secrets or even gain remote control,” the researchers wrote. “To verify this hypothesis, we needed to locate the code responsible for this functionality. Since both devices communicated using CIP, our first step was to thoroughly understand the protocol.”

According to Rockwell Automation online resources, PanelView Plus HMIs run on Windows 10 IoT (or Windows CE for older versions). The Rockwell Automation-related DLLs and executables have been extracted from the latest firmware. Several DLLs are responsible for receiving the various class IDs and processing their requests, with one of them tasked with processing the class ID observed in the packet capture.

“After examining the functionality associated with this class identifier, we confirmed that it is indeed responsible for querying the registry and sending a value in response,” Microsoft revealed. “However, we also discovered that the code managing this functionality performs input validation, allowing registry values ​​to be read only from specific Rockwell keys.”

The researchers further stated that while their initial hypothesis turned out to be incorrect, “this discovery allowed us to gain valuable insights into the process of handling different CIP classes by Rockwell. In addition, we learned how to identify classes that a specific DLL is responsible for processing. This knowledge leads us to our second hypothesis – there may be another custom class, managed by the same DLL that is responsible for the registry class, that could be used to gain remote control over the device,” the post added.

The analysis began with a DLL that manages a custom CIP class for reading and writing registry keys. It was discovered that this DLL also manages two other undocumented custom CIP classes from Rockwell. Further investigation of these classes was conducted to determine whether they could be used in an attack and to help validate the hypothesis.

The first class that Microsoft researchers examined had intriguing functionality. “It accepts a path to a DLL file, a function name, and a third parameter as input. It then loads the DLL using ‘LoadLibrary’ and calls a specific function using ‘GetProcAddress’, passing the third parameter as an argument. This seemed like a possible path to arbitrary code execution.”

There was a catch though – the class contained a verification function that checked whether the DLL name was remotehelper(dot)dll and whether the function name was one of the predefined values. If these conditions were not met, the class returned an error and did not execute the function.

The researchers then detailed, “We analyzed a second class found in the same DLL. This class allowed reading and writing files on the device. It also contained a verification function, but it was more permissive—it only checked if the read/write path started with a specific string. We realized that this class could potentially be exploited by uploading a malicious DLL to the device and (placing) it almost anywhere.”

Microsoft’s post explains that after gaining a comprehensive understanding of the vulnerabilities, it has gained clear insight into how an attacker could leverage two custom classes to remotely execute code on a device. “The idea was to compile a DLL that was compatible with the Windows 10 IoT device operating system. This DLL would contain the code we wanted to run on the device and would be exported under the name GetVersion, which is one of the valid function names that can be called by custom class 1. We would then use custom class 2 to upload our DLL to the device, placing it in a random folder and naming it remotehelper(dot)dll. Finally, we would execute it using custom class 1,” it added.

“To better investigate how the vulnerability could be exploited, we decided to leverage an existing function in the original remotehelper(dot)dll file. We discovered that this file had an export named InvokeExe that allowed any executable to be launched on the device,” the post reads. “However, this function was not in the list of valid function names for Custom Class 1, so we could not use it directly. To overcome this obstacle, we patched the remotehelper(dot)dll file and changed one of the valid export names to point to the InvokeExe function. We then uploaded the patched DLL to the device, placing it in a different folder than the original.”

The researchers then added: “We used a custom class 1 to invoke our patched DLL and launch cmd(dot)exe, which granted us a command shell on the device. We confirmed that the exploit was successful and that we gained full control of the device.”

Microsoft recommends protecting organizations from attacks that may attempt to exploit the vulnerabilities in PanelView Plus. Researchers have called for patches to be applied to affected devices on the network. FactoryTalk View ME v12/v13 and FactoryTalk Linx v6.20/v6.30 in PanelView Plus are vulnerable to the discovered vulnerabilities. It is recommended to first identify the devices on the network that are affected by these vulnerabilities.

It is also recommended to install PN1645 | FactoryTalk View Machine Edition Vulnerable to Remote Code Execution and PN1652 | FactoryTalk Linx Vulnerable to Denial-of-Service and Information Disclosure on the device. Additionally, organizations must ensure that critical devices such as PLCs, routers, PCs, etc., are disconnected from the Internet and segmented, regardless of whether they run Rockwell’s FactoryTalk View, and limit access to CIP devices to authorized components only.