Microsoft Uncovers Critical Flaws in Rockwell PanelView Plus
Microsoft has disclosed critical vulnerabilities in Rockwell Automation’s PanelView Plus products that could enable remote code execution and denial-of-service attacks by unauthenticated attackers.
The two security flaws enable hackers to execute code remotely or can lead to information disclosure or a DoS condition.
See Also: Identity Security Clinic
PanelView Plus is a family of touchscreen human-machine interfaces from Rockwell Automation used for monitoring and controlling industrial processes.
The twin vulnerabilities are tracked as CVE-2023-2071, a remote code execution vulnerability with a CVSS score of 9.8, and a denial-of-service flaw tracked as CVE-2023-29464 with a CVSS score of 8.2.
Microsoft’s Defender for IoT research team discovered the vulnerabilities in May and July 2023, while analyzing Common Industrial Protocol communications between two devices. Two devices were communicating using the common industrial protocol, however researchers noticed a lack of encryption and a lack of prior authentication.
The vulnerabilities have not been confirmed to be actively exploited.
Microsoft coordinated with Rockwell Automation through its Security Vulnerability Research program, leading to the release of security patches in September and October 2023.
The patches address these vulnerabilities in FactoryTalk View ME v12/v13 and FactoryTalk Linx v6.20/v6.30 on PanelView Plus.
Organizations are advised to disconnect critical devices from the internet, segment their networks, and restrict access to CIP devices. Microsoft also released a tool for scanning and investigating Rockwell Rslogix devices, available on GitHub.
Microsoft Defender for IoT provides detection and classification of devices using CIP, alerts on unauthorized access, and raises alerts if attempts are made to exploit these vulnerabilities.