Microsoft discovered and responsibly disclosed two vulnerabilities in Rockwell Automation PanelView Plus that could be remotely exploited by unauthenticated attackers, allowing them to perform remote code execution and denial-of-service.
The RCE vulnerability in PanelView Plus involves two custom classes that can be abused to upload and load a malicious DLL into the device.
The DoS vulnerability takes advantage of the same custom class to send a crafted buffer that the device is unable to handle properly, thus leading to a DoS. PanelView Plus devices are graphic terminals, also known as human machine interface and are used in the industrial space.
These vulnerabilities can significantly impact organizations using the affected devices, as attackers could exploit these vulnerabilities to remotely execute code and disrupt operations.
By sharing this research with the larger security community, we aim to emphasize the importance of collaboration in the effort to secure platforms and devices.
Further investigation revealed that the requesting device was an engineering workstation, and the responding device was an HMI - specifically, PanelView Plus.
Since the two devices communicated using the CIP, our first step was to understand the protocol in depth.
This knowledge leads us to our second hypothesis: there might be another custom class, managed by the same DLL as the one responsible for the registry class, that could be exploited to gain remote control of the device.
Next, we examined the second class found within the same DLL. This class allowed reading and writing files on the device.
Having gained a comprehensive understanding of the vulnerabilities, we had an idea of how an attacker could utilize the two custom classes to launch code remotely on the device.
The idea was to compile a DLL compatible with Windows 10 IoT, the operating system of the device.
This DLL would contain the code we wanted to run on the device and would be exported under the name GetVersion, which is one of the valid function names that can be invoked by custom class 1.
We would then use custom class 2 to upload our DLL to the device, placing it in a random folder and naming it remotehelper.
We then uploaded our patched DLL to the device, placing it in a different folder than the original.
Exe, which granted us a command shell on the device.
We confirmed that the exploit was successful and that we had gained full control of the device.
It is recommended to first identify the devices in your network that are impacted by those vulnerabilities.
It is also recommended to install the following patches on the device: Make sure all critical devices, such as PLCs, routers, PCs, etc.
Limit access to CIP devices to authorized components only.
To assist with identifying impacted devices, Microsoft released a tool for scanning and performing forensics investigation on Rockwell Rslogix devices as part of its arsenal of open-source tools available on GitHub.
This Cyber News was published on www.microsoft.com. Publication date: Tue, 02 Jul 2024 18:43:05 +0000