Microsoft’s has revealed the details of vulnerabilities in Rockwell Automation’s PanelView Plus, widely used in industrial settings.
These vulnerabilities, tracked as CVE-2023-2071 and CVE-2023-29464, can be exploited remotely by unauthenticated attackers to perform remote code execution (RCE) and denial-of-service (DoS) respectively.
The RCE vulnerability arises from two custom classes within the PanelView Plus that can be manipulated to upload and load a malicious DLL, allowing attackers to execute arbitrary code on the device. The DoS vulnerability exploits the same custom class, sending a crafted buffer that the device cannot handle, causing it to crash.
According to the advisory, the discovery process began when Microsoft’s Defender for IoT research team observed communication between two devices using the Common Industrial Protocol (CIP).
Further investigation revealed a remote registry query functionality within the HMI, specifically the PanelView Plus. This led the team to hypothesize about potential vulnerabilities that could be exploited to access sensitive system keys or gain control over the device.
By analyzing the firmware of the PanelView Plus, which operates on Windows 10 IoT, researchers identified several DLLs responsible for processing different CIP class IDs. They found that one such DLL could be exploited to upload and execute malicious DLL files, confirming their hypothesis about potential remote-control vulnerabilities.
Microsoft reportedly disclosed these findings to Rockwell Automation through its Coordinated Vulnerability Disclosure programs in June 2023. In response, Rockwell released security patches and advisories in September and October 2023.
Microsoft recommends all users of PanelView Plus to apply these patches promptly to mitigate potential risks.
