Microsoft responsibly disclosed two vulnerabilities in Rockwell Automation PanelView Plus that remote, unauthenticated attackers can exploit to perform remote code execution (RCE) and denial-of-service (DoS).
The RCE vulnerability in PanelView Plus involves exploiting two custom classes to upload and load a malicious DLL. The DoS vulnerability uses the same custom class to send a crafted buffer, causing the device to malfunction and result in a DoS.
The RCE vulnerability in PanelView Plus involves two custom classes that can be abused to upload and load a malicious DLL into the device. The DoS vulnerability uses the same custom class to send a crafted buffer that the device cannot properly manage, triggering a DoS condition.
PanelView Plus devices are human-machine interfaces (HMI) in industrial environments, the exploitation of the flaws can potentially disrupt operations, posing serious risks to organizations relying on these devices.
The two vulnerabilities are:
CVE ID | CVSS Score | Vulnerability |
---|---|---|
CVE-2023-2071 | 9.8 | Remote code execution (RCE) |
CVE-2023-29464 | 8.2 | DoS via out-of-bounds read |
CVE-2023-2071 (CVSS score: 9.8) is an improper input validation vulnerability that remote, unauthenticated attackers can exploit to achieve code executed via crafted malicious packets.
“FactoryTalk View Machine Edition on the PanelView Plus, improperly verifies user’s input, which allows unauthenticated attacker to achieve remote code executed via crafted malicious packets. The device has the functionality, through a CIP class, to execute exported functions from libraries. There is a routine that restricts it to execute specific functions from two dynamic link library files.” reads the advisory. “By using a CIP class, an attacker can upload a self-made library to the device which allows the attacker to bypass the security check and execute any code written in the function.”
The flaw impacts FactoryTalk View Machine Edition (versions 13.0, 12.0, and prior).
CVE-2023-29464 (CVSS score: 8.2) is an improper input validation vulnerability that an unauthenticated threat actor can exploit to read data from memory via crafted malicious packets and result in a DoS by sending a packet larger than the buffer size
“FactoryTalk Linx, in the Rockwell Automation PanelView™ Plus, allows an unauthenticated threat actor to read data from memory via crafted malicious packets. Sending a size larger than the buffer size results in leakage of data from memory resulting in an information disclosure. If the size is large enough, it causes communications over the common industrial protocol to become unresponsive to any type of packet, resulting in a denial-of-service to FactoryTalk® Linx over the common industrial protocol.” reads the advisory.
The vulnerability impacts FactoryTalk Linx (versions 6.30, 6.20, and prior).
Rockwell Automation published two separate advisories on the flaws respectively on September 12, 2023, and October 12, 2023. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) also published alerts on the two flaws in September and October.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, OT)