Microsoft issues alert about enhanced vulnerability in PanelView Plus CVEs from Rockwell Automation
In a recent development, Microsoft researchers have uncovered critical vulnerabilities in Rockwell Automation's widely used PanelView Plus human-machine interfaces, which are commonly found in industrial settings. The vulnerabilities, designated as CVE-2023-2071 and CVE-2023-29464, pose significant risks to industrial systems, particularly due to their potential for remote code execution and denial of service.
The remote code execution vulnerability, CVE-2023-2071, carries a CVSS score of 9.8, indicating a high severity level. On the other hand, the denial of service vulnerability, CVE-2023-29464, has a CVSS score of 8.2.
Upon discovering these vulnerabilities, Microsoft shared its findings with Rockwell Automation in May and July 2023. Subsequently, Rockwell Automation released security advisories and patches for the vulnerabilities in September and October 2023.
Rockwell Automation has urged its customers to disconnect from the internet due to heightened geopolitical tensions and references to these critical vulnerabilities, including those related to the FactoryTalk Service Platform. The company's recommended mitigation steps for these vulnerabilities involve applying software updates and following security best practices if immediate updates are not possible.
Specifically, users are advised to update the affected PanelView Plus software to the corrected versions provided by Rockwell Automation. If updating is not immediately feasible, security best practices such as restricting access to the affected systems, monitoring for suspicious activities, and avoiding opening untrusted files or links that could trigger the vulnerabilities are recommended.
The vulnerabilities involve memory abuse issues, such as heap-based buffer overflows, which can lead to arbitrary code execution if exploited. Therefore, prompt patching is crucial to protect systems from potential attacks.
It's worth noting that active exploitation of these vulnerabilities has not been confirmed. However, federal officials have previously urged industrial providers to strengthen cyber hygiene practices due to hacktivists targeting human-machine interfaces.
As corporate stakeholders seek to better understand the risk calculus of their technology stacks, they are increasingly concerned about whether they are potential targets. Malicious control of these devices can lead to disruptive attacks, making it essential for users to prioritise updating to patched firmware/software releases.
Rockwell Automation could not provide comment on the disclosures, but the approach to handling critical vulnerabilities in PanelView Plus devices recommended by the company universally prioritises updating to patched firmware/software releases. Additional mitigation may include network segmentation and enhanced monitoring, common for industrial control system security, but Rockwell’s update recommendation is primary.
If users seek guidance specifically for these CVEs and they are not yet listed explicitly or patched, they are advised to keep monitoring Rockwell Automation’s official security advisories page for updates and patches.
Yuval Gordon, a security researcher at Microsoft, is credited with discovering the vulnerabilities. In a recent incident, Microsoft Defender for IoT research team discovered a suspicious remote registry query involving a human-machine interface (PanelView Plus) and an engineering workstation.
The communication between the devices was found to lack encryption and prior authentication, making them vulnerable to unauthenticated hackers. This underscores the importance of securing industrial control systems in the digital age.
- The industries that rely on the Rockwell Automation's PanelView Plus human-machine interfaces should take immediate measures to update their software following the patches released by Rockwell Automation to mitigate the identified critical vulnerabilities, CVE-2023-2071 and CVE-2023-29464.
- As these vulnerabilities, particularly CVE-2023-2071, carry high severity levels due to potential remote code execution and the lack of encryption in the communication between devices, the finance industry should be concerned about the potential risks to their systems and data.
- In the face of heightened geopolitical tensions and the increasing threat of hacktivists targeting human-machine interfaces, the cybersecurity of industrial systems is paramount, and technology providers should prioritize strengthening their security measures to protect critical infrastructure.
