Microsoft has discovered and disclosed two significant vulnerabilities in Rockwell Automation's PanelView Plus devices. These vulnerabilities could be remotely exploited by unauthenticated attackers, enabling them to execute remote code and initiate denial-of-service (DoS) attacks. The Microsoft findings highlight severe security gaps in the industrial space, where these human-machine interface (HMI) graphic terminals are widely used. This discovery by Microsoft highlights the critical need for robust security measures in industrial automation systems to protect against potential disruptions.

Technical Details of the RA PanelView Plus Devices Vulnerabilities

The Remote Code Execution (RCE) vulnerability, identified as CVE-2023-2071 with a CVSS score of 9.8, involves the exploitation of two custom classes within the device. Attackers can abuse these classes to upload and execute a malicious DLL, effectively gaining remote control of the device. The DoS vulnerability, labeled CVE-2023-29464 with a CVSS score of 8.2, exploits the same custom class to send a crafted buffer that the device cannot handle, leading to a system crash. "The RCE vulnerability in PanelView Plus involves two custom classes that can be abused to upload and load a malicious DLL into the device. The DoS vulnerability takes advantage of the same custom class to send a crafted buffer that the device is unable to handle properly, thus leading to a DoS," reads Microsoft Blog.

Microsoft Discovery and Disclosure Process

Microsoft's Security Vulnerability Research (MSVR) team detected these vulnerabilities through diligent analysis and shared their findings with Rockwell Automation via Coordinated Vulnerability Disclosure (CVD) in May and July 2023. Rockwell Automation promptly responded, publishing advisories and releasing security patches in September and October 2023. "We shared these findings with Rockwell Automation through Coordinated Vulnerability Disclosure (CVD) via Microsoft Security Vulnerability Research (MSVR) in May and July 2023. Rockwell published two advisories and released security patches in September and October 2023," reads Blog. PanelView Plus devices play a crucial role in industrial automation, making the discovered vulnerabilities particularly concerning. Exploiting these vulnerabilities could allow attackers to remotely execute code, potentially leading to operational disruptions and significant financial losses for affected organizations. Microsoft emphasizes the importance of applying the released security patches to mitigate these risks.

Microsoft Defender for IoT Research Team's Role

One of the key responsibilities of the Microsoft Defender for IoT research team is to ensure comprehensive analysis of operational technology (OT) and Internet of Things (IoT) protocols. During their investigation, the team observed a legitimate packet capture between two devices communicating via the Common Industrial Protocol (CIP). A suspicious remote registry query involving a path to a registry value named “ProductCode” raised concerns about potential vulnerabilities.

In-Depth Analysis of the Protocol

CIP is an object-oriented protocol designed for industrial automation applications. Messages are directed towards specific objects identified by their Class ID and Object Instance ID. The protocol includes a Service Code, which denotes the action to be performed on the object. Microsoft's analysis revealed that the communication observed involved vendor-specific Service ID and Class ID values, prompting further investigation into the HMI firmware.

Firmware Analysis and Exploitation Approach

PanelView Plus HMIs operate on the Windows 10 IoT (or older versions on Windows CE) operating system. Microsoft's team extracted relevant DLLs and executables from the firmware to understand how the device processes CIP requests. They discovered that certain DLLs manage custom CIP classes responsible for reading and writing registry keys. This discovery led to the identification of two custom classes that could be exploited for remote code execution.

Custom Classes and Exploitation

The first custom class accepts a DLL path, function name, and parameter, loading the DLL and executing the specified function. Despite a verification function limiting the function names to predefined values, Microsoft found a way to exploit this class. The second custom class allows reading and writing files on the device, with less stringent verification, providing an avenue for uploading a malicious DLL. Microsoft demonstrated an exploitation approach by compiling a malicious DLL compatible with Windows 10 IoT. They used the second custom class to upload the DLL and placed it in a specific folder. The DLL, named remotehelper.dll, was then executed using the first custom class, granting attackers remote control of the device. This proof-of-concept confirmed the severity of the vulnerability and the potential for exploitation.

Mitigation and Protection Measures

To mitigate the risks associated with these vulnerabilities, Microsoft recommends the following measures:

• Apply Patches: Ensure that affected devices are updated with the latest security patches. Specifically, install patches PN1645 and PN1652 to address the identified vulnerabilities.
• Network Segmentation: Disconnect critical devices such as PLCs, routers, and PCs from the internet and ensure proper network segmentation.
• Access Control: Limit access to CIP devices to authorized components only.
• Utilize Tools: Use Microsoft's tool for scanning and forensic investigation of Rockwell Rslogix devices, available on GitHub, to identify impacted devices and secure them accordingly.

Microsoft's findings and disclosure of these vulnerabilities highlight the importance of collaborative efforts in the cybersecurity community. By sharing detailed technical insights and mitigation strategies, Microsoft aims to strengthen the security posture of industrial automation systems.