Dive Brief:
- Microsoft researchers on Tuesday warned that critical vulnerabilities in Rockwell Automation PanelView Plus can be exploited by unauthenticated hackers, putting the devices at risk for remote code execution and denial of service. The vulnerabilities were initially disclosed and patched in late 2023.
- PanelView Plus devices are human-machine interfaces that are widely used in industrial settings, and malicious control of these devices can lead to disruptive attacks. The remote code execution vulnerability, listed as CVE-2023-2071, has a CVSS score of 9.8. The denial of service vulnerability, listed as CVE-2023-29464, has a CVSS score of 8.2.
- Microsoft initially discovered the vulnerabilities and shared its findings with Rockwell Automation in May and July 2023. Rockwell Automation released security advisories and patches for the CVEs in September and October 2023. Microsoft researchers urged users to patch and apply other mitigation steps.
Dive Insight:
The remote code execution vulnerability in PanelView Plus involves two custom classes that can be abused to upload a malicious dynamic link library to the device, according to Microsoft. The denial of service vulnerability also abuses the custom class, however in this case a crafted buffer is sent. The device cannot handle the uploaded buffer, leading to the denial of service.
The Microsoft Defender for IoT research team found what they describe as a suspicious remote registry query. Two devices were communicating using the common industrial protocol, however researchers noticed a lack of encryption and a lack of prior authentication.
“Further investigation revealed that the requesting device was an engineering workstation and the responding device was an [human-machine interface] – specifically PanelView Plus,” researchers said in the blog.
Yuval Gordon, a security researcher at Microsoft, is credited with discovering the vulnerabilities.
Active exploitation of the vulnerabilities has not be confirmed. Federal officials previously urged industrial providers to strengthen cyber hygiene practices, as hacktivists have been targeting human-machine interfaces against critical infrastructure and other targets with weak passwords and no multifactor authentication.
Rockwell Automation in May urged customers to disconnect from the internet, citing heightened geopolitical tensions. The public warning included references to several CVEs, including several related to the FactoryTalk Service Platform.
A spokesperson for Rockwell said the company could not provide comment on the disclosures.