Security Flaws Discovered in Rockwell Automation’s PanelView Plus Could Lead to Remote Attacks
Recent disclosures have unveiled two critical security vulnerabilities in Rockwell Automation’s PanelView Plus systems, which could potentially allow remote, unauthenticated attackers to execute arbitrary code or trigger denial-of-service (DoS) conditions. This revelation, made by Microsoft security teams, sheds light on significant risks associated with these widely used automation devices.
Yuval Gordon, a security researcher, explained that the vulnerability enabling remote code execution is linked to two custom classes within the PanelView Plus. Attackers could exploit these classes to upload and run a malicious dynamic-link library (DLL) on the device. Furthermore, the DoS vulnerability arises from the same custom class which, when subjected to specially crafted buffer overflow packets, can cause the device to become unresponsive.
The implications of these flaws are concerning. Specifically, the exploitations can lead to remote code execution or information disclosure, further raising alarms about the potential operational impact on affected systems. The first vulnerability, identified as CVE-2023-2071, carries a critical CVSS score of 9.8. It facilitates unauthorized remote code execution through specially crafted malicious packets. Meanwhile, CVE-2023-29464, with a CVSS score of 8.2, allows unauthenticated actors to read sensitive data from memory and can lead to DoS attacks by sending oversized packets.
The vulnerabilities have specific impacts on Rockwell Automation products. CVE-2023-2071 affects FactoryTalk View Machine Edition in versions 13.0, 12.0, and earlier, while CVE-2023-29464 pertains to FactoryTalk Linx across versions 6.30, 6.20, and previous iterations. Industry professionals were alerted to these weaknesses through advisories issued by Rockwell Automation and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) in September and October, highlighting the critical need for immediate remedial measures.
The discovery of these vulnerabilities arises amid reports of other threat actors exploiting a recently disclosed flaw in the HTTP File Server, designated as CVE-2024-23692, with a CVSS score of 9.8. This situation underscores a prevalent risk landscape where disparate vulnerabilities could expose organizations to malware delivery and data breaches.
Business owners and IT managers must remain vigilant and prioritize security measures, leveraging resources such as the MITRE ATT&CK framework to understand potential tactics and techniques employed by adversaries. Possible adversary tactics include initial access strategies that involve exploiting known security vulnerabilities, persistence techniques to maintain a foothold within systems, and privilege escalation to gain higher levels of access.
As organizations assess their exposure to these vulnerabilities, it is essential to deploy timely software updates and monitor for signs of exploitation. The vulnerabilities pose a significant risk not only to the integrity of automation systems but also to the broader fabric of cybersecurity resilience within the industry. Knowledge of such threats is vital for informed decision-making and proactive cybersecurity strategies.