Multiple Flaws In Rockwell Automation Panel Let Attackers Execute Remote Code

Two vulnerabilities in Rockwell Automation PanelView Plus have been discovered. Unauthenticated attackers could exploit them remotely to perform remote code execution (RCE) and denial-of-service attacks. 

Rockwell Automation, Inc. is an American provider of industrial automation and digital transformation technology. Among the brands are FactoryTalk, Allen-Bradley, and LifecycleIQ Services.

PanelView Plus devices are utilized in the industrial sector as graphic terminals, sometimes referred to as human machine interfaces or HMIs.

Microsoft claims that two custom classes in PanelView Plus are vulnerable to an RCE attack that might be used to upload and load a malicious DLL onto the device. 

The DoS vulnerability uses the same custom class to send a specially constructed buffer that the device cannot process, causing a denial of service (DoS).

Vulnerabilities In PanelView Plus Devices

With a basic CVSS score of 9.8, the critical vulnerability tracked as CVE-2023-2071 affects FactoryTalk View Machine Edition, leading to Remote Code Execution.

An unauthenticated attacker can execute malicious packets to obtain remote code execution through the PanelView Plus’s FactoryTalk View Machine Edition, which incorrectly checks user input.

“By using a CIP class, an attacker can upload a self-made library to the device, which allows the attacker to bypass the security check and execute any code written in the function”, Microsoft said.

Affected Products And Patch Released

Secondly, a high-severity vulnerability affecting FactoryTalk® Linx, resulting in Denial-of-Service and Information Disclosure, has been tracked as CVE-2023-29464 and has a CVSS base score of 8.2.

An unauthenticated threat actor can use a maliciously constructed packet to read data from memory using FactoryTalk Linx in the Rockwell Automation PanelViewTM Plus.

When a size is sent that exceeds the buffer size, data from memory leaks out, exposing confidential information.

“If the size is large enough, it causes communications over the common industrial protocol to become unresponsive to any type of packet, resulting in a denial-of-service to FactoryTalk® Linx over the common industrial protocol,” Microsoft said.

Affected Products And Patch Released

Exploitation Approach

The objective was to compile a DLL that would work with the device’s operating system, Windows 10 IoT.

The code experts wished to execute on the device would be contained in this DLL, which would be exported with the name GetVersion—one of the legitimate function names that custom class 1 can call. 

Next, they would upload the DLL to the device using custom class 2, name it remotehelper.dll and put it in a random subdirectory.

 Exploitation approach

Experts make use of a feature that was present in the original remotehelper.dll file that featured an export named InvokeExe that enabled the device to run any executable file.

To point to the InvokeExe method, experts modified one of the permissible export names and patched the remotehelper.dll file. 

Eventually, it was verified that the exploit worked and that experts had complete authority over the device.

 Exploit PoC

Apply Fixes Available

Update the impacted devices on your network with fixes. The vulnerabilities identified affect FactoryTalk View ME v12/v13 and FactoryTalk® Linx v6.20/v6.30 on PanelView Plus. 

It is advisable to start by determining whether your network’s devices are affected by those vulnerabilities. Installing the appropriate fixes on the device is also advised.

Leave a Comment

Your email address will not be published. Required fields are marked *