Microsoft has identified two security vulnerabilities in Rockwell Automation PanelView Plus that could be exploited by remote, unauthenticated attackers to execute arbitrary code and trigger a denial-of-service (DoS) attack.
“The vulnerability for remote code execution in PanelView Plus involves two custom classes that can be manipulated to upload and execute a malicious DLL on the device,” explained security researcher Yuval Gordon stated.
“The DoS vulnerability exploits the same custom class to send a crafted buffer that the device cannot handle correctly, resulting in a DoS.”
The identified vulnerabilities are as follows:
- CVE-2023-2071 (CVSS score: 9.8) – An improper input validation vulnerability that allows unauthenticated attackers to achieve remote code execution through crafted malicious packets.
- CVE-2023-29464 (CVSS score: 8.2) – An improper input validation vulnerability that enables an unauthenticated threat actor to read data from memory via crafted malicious packets and cause a DoS by sending a packet larger than the buffer size
Exploiting these vulnerabilities can allow an attacker to execute code remotely, disclose information, or trigger a DoS attack.
CVE-2023-2071 affects FactoryTalk View Machine Edition (versions 13.0, 12.0, and earlier), while CVE-2023-29464 impacts FactoryTalk Linx (versions 6.30, 6.20, and earlier).
Rockwell Automation issued advisories for these vulnerabilities on September 12, 2023 and October 12, 2023. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) also released alerts on September 21 and October 17.
Recent reports suggest that threat actors are actively exploiting a critical security vulnerability in HTTP File Server (CVE-2024-23692, CVSS score: 9.8) to distribute cryptocurrency miners and trojans like Xeno RAT, Gh0st RAT, and PlugX.
This vulnerability, categorized as a case of template injection, enables a remote, unauthenticated attacker to run arbitrary commands on the affected system by sending a specially crafted HTTP request.
