Revision History
Revision Number
1.0
Revision History
Version 1.0 – October 27, 2023
Affected Products
| Affected Product (automated) | First Known in Software Version | Corrected in Software Version |
| Arena® Simulation Software | V16.00 | 16.20.02 |
Vulnerability Details
These vulnerabilities were reported to Rockwell Automation by Michael Heinzl. Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.
CVE-2023-27854 IMPACT
An arbitrary code execution vulnerability was reported to Rockwell Automation that could potentially allow a malicious user to commit unauthorized arbitrary code to the software by using a memory buffer overflow. The threat-actor could then execute malicious code on the system affecting the confidentiality, integrity, and availability of the product. The user would need to open a malicious file provided to them by the attacker for the code to execute.
CVSS Base Score: 7.8
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE-125 Out-of-bounds Read
Known Exploited Vulnerability (KEV) database: No
CVE-2023-27858 IMPACT
An arbitrary code execution vulnerability could potentially allow a malicious user to commit unauthorized code to the software by using a uninitialized pointer in the application. The threat-actor could then execute malicious code on the system affecting the confidentiality, integrity, and availability of the product. The user would need to open a malicious file provided to them by the attacker for the code to execute.
CVSS Base Score: 7.8
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE-824: Access of Uninitialized Pointer
Known Exploited Vulnerability (KEV) database: No
Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.
Risk Mitigation & User Action
Customers using the affected software are encouraged to apply the risk mitigations, if possible.
- Upgrade to 16.20.02 which has been patched to mitigate these issues, by referencing BF29820 - Patch: ZDI Security Patch & Windows 11 updates , Arena 16.2.
- Implement our QA43240 - Recommended Security Guidelines from Rockwell Automation to minimize risk of the vulnerability.
Additional Resources
