Microsoft Uncovers Major Flaws in Rockwell PanelView Plus

Written by

Microsoft’s cybersecurity team has uncovered two significant vulnerabilities in Rockwell Automation’s PanelView Plus, a type of human-machine interface (HMI) widely used in industrial settings. 

These vulnerabilities, identified as CVE-2023-2071 and CVE-2023-29464, can be exploited remotely by unauthenticated attackers to perform remote code execution (RCE) and denial-of-service (DoS) respectively.

The RCE vulnerability arises from two custom classes within the PanelView Plus that can be manipulated to upload and load a malicious DLL, allowing attackers to execute arbitrary code on the device. Meanwhile, the DoS vulnerability exploits the same custom class, sending a crafted buffer that the device cannot handle, causing it to crash. 

In an advisory published on Tuesday, Microsoft said such vulnerabilities pose a significant risk to organizations relying on these devices for operational processes, as they could lead to unauthorized remote control and disruption of critical operations.

Read more on cyber-threats in industrial automation: Manufacturing Top Targeted Industry in Record-Breaking Cyber Extortion Surge

According to the technical write-up, the discovery process began when Microsoft’s Defender for IoT research team observed communication between two devices using the Common Industrial Protocol (CIP). 

Further investigation revealed a remote registry query functionality within the HMI, specifically the PanelView Plus. This led the team to hypothesize about potential vulnerabilities that could be exploited to access sensitive system keys or gain control over the device.

By analyzing the firmware of the PanelView Plus, which operates on Windows 10 IoT, researchers identified several DLLs responsible for processing different CIP class IDs. They found that one such DLL could be exploited to upload and execute malicious DLL files, confirming their hypothesis about potential remote-control vulnerabilities.

In May and July 2023, Microsoft reportedly disclosed these findings to Rockwell Automation through its Coordinated Vulnerability Disclosure (CVD) program. In response, Rockwell released security patches and advisories in September and October 2023. 

Microsoft has urged all users of PanelView Plus to apply these patches promptly to mitigate potential risks.

Further recommendations from Microsoft include ensuring that all critical devices like PLCs, routers and PCs are disconnected from the internet and segmented, regardless of their use of Rockwell’s FactoryTalk View. Furthermore, they recommend restricting access to CIP devices exclusively to authorized components to bolster overall security protocols.

Image credit: Michael Vi / Shutterstock.com

What’s hot on Infosecurity Magazine?