As part of its efforts to secure critical infrastructure environments that depend on operational technology (OT) and Internet-of-Things (IoT) devices, Microsoft on July 2 published research on two bugs it found in Rockwell Automation PanelView Plus products that could lead to remote code execution (RCE) and denial-of-service (DoS) attacks.
Microsoft said the critical (9.8) RCE flaw — CVE-2023-2071 — in PanelView Plus can potentially let attackers abuse to upload and load a malicious DLL into a device. And the high-severity (8.2) DoS bug — CVE-2023-29464 — could let an attacker send a crafted buffer that a device can’t handle, thus overwhelming the device and leading to a DoS.
Rockwell Automation’s PanelView Plus devices are graphic terminals that are widely used in the industrial sector to monitor and control applications in machines and systems in industrial environments. Microsoft said the flaws can significantly impact organizations using the affected devices, as attackers could exploit these vulnerabilities to remotely execute code and disrupt operations.
Microsoft said it disclosed the two vulnerabilities to Rockwell Automation in the spring and summer of last year and Rockwell Automation released a patch last fall. Given the continued threat to critical infrastructure the industry has seen this year, Microsoft encouraged security teams at manufacturing plants to do the patches.
“Remote access to industrial environments by a third-party for maintenance has often been flagged as a weakness in cybersecurity programs and is heavily targeted by threat actors as an easy entry point,” said Isabelle Dumont, CMO of DeNexus.
Dumont said owners of physical assets in critical infrastructure should have a clear map of remote access points, facility-by-facility, to start understanding and quantifying the risk of poor security management of those assets. Then, Dumont said they can ensure that adequate security controls are in place using traditional security best practices from the IT world: multi-factor authentication, strong passwords, and strict access configuration.
Mayuresh Dani, manager of security research at Qualys, added that while both vulnerabilities affect the same common industrial protocol (CIP) class, the RCE flaw has a higher impact because it potentially lets unauthenticated, remote attackers upload malicious DLLs and execute arbitrary code.