Microsoft has disclosed two security vulnerabilities in Rockwell Automation PanelView Plus that could be exploited by remote, unauthenticated attackers to execute arbitrary code and trigger a denial-of-service (DoS) attack.
“The [remote code execution] vulnerability in PanelView Plus involves two custom classes that can be exploited to upload and load a malicious DLL into the device,” security researcher Yuval Gordon explained.
“The DoS vulnerability utilizes the same custom class to send a crafted buffer that the device is unable to handle properly, resulting in a DoS condition.”
The list of vulnerabilities is as follows:
- CVE-2023-2071 (CVSS score: 9.8) – An improper input validation vulnerability that allows unauthenticated attackers to achieve remote code execution via crafted malicious packets.
- CVE-2023-29464 (CVSS score: 8.2) – An improper input validation vulnerability that allows an unauthenticated threat actor to read data from memory via crafted malicious packets and result in a DoS by sending a packet larger than the buffer size
Successful exploitation of these vulnerabilities could lead to remote code execution, information disclosure, or a DoS condition.
CVE-2023-2071 affects FactoryTalk View Machine Edition (versions 13.0, 12.0, and earlier), while CVE-2023-29464 impacts FactoryTalk Linx (versions 6.30, 6.20, and earlier).
Notably, Rockwell Automation released advisories for these vulnerabilities on September 12, 2023, and October 12, 2023. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) also issued alerts on September 21 and October 17.
This disclosure coincides with reports of unknown threat actors exploiting a critical security flaw in HTTP File Server (CVE-2024-23692, CVSS score: 9.8) to distribute cryptocurrency miners and trojans such as Xeno RAT, Gh0st RAT, and PlugX.
The vulnerability, characterized as a case of template injection, enables remote, unauthenticated attackers to execute arbitrary commands on the affected system by sending a specially crafted HTTP request.