SD1665 | Security Advisory | Rockwell Automation

Severity:

High,

Medium

Advisory ID:

SD1665

Published Date:

March 26, 2024

Last Updated:

October 16, 2024

Revision Number:

1.0

Known Exploited Vulnerability (KEV):

Corrected:

Yes

Workaround:

CVE IDs

CVE-2024-21912,

CVE-2024-21913,

CVE-2024-2929,

CVE-2024-21918,

CVE-2024-21919,

CVE-2024-21920

Downloads

The following link(s) provide the security advisory in Vulnerability Exploitability Exchange format:

JSON

Summary

Arena® Simulation Vulnerabilities

Arena® Simulation Vulnerabilities
Published Date: March 26, 2024
Last updated: March 26, 2024
Revision Number: 1.0
CVSS Score: 7.8

AFFECTED PRODUCTS AND SOLUTION

Affected Product	CVE	First Known in Software Version	Corrected in Software Version
Arena® Simulation Software	CVE-2024-21912	16.00	16.20.03
	CVE-2024-21913
	CVE-2024-2929
	CVE-2024-21918
	CVE-2024-21919
	CVE-2024-21920	16.00	This issue is within the Microsoft dynamic library link file and will not be remediated. Do not open untrusted files from unknown sources to mitigate the issue

VULNERABILITY DETAILS

These vulnerabilities were reported to Rockwell Automation by Michael Heinzl. Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2024-21912 IMPACT

An arbitrary code execution vulnerability could let a malicious user insert unauthorized code into the software. This is done by writing beyond the designated memory area, which causes an access violation. Once inside, the threat actor can run harmful code on the system. This affects the confidentiality, integrity, and availability of the product. To trigger this, the user would unwittingly need to open a malicious file shared by the threat actor.

CVSS Base Score: 7.8
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE-787 Out-of-bounds Write

Known Exploited Vulnerability (KEV) database: No

CVE-2024-21913 IMPACT

A heap-based memory buffer overflow vulnerability could potentially allow a malicious user to insert unauthorized code into the software by overstepping the memory boundaries, which triggers an access violation. Once inside, the threat actor can run harmful code on the system. This affects the confidentiality, integrity, and availability of the product. To trigger this, the user would unwittingly need to open a malicious file shared by the threat actor.

CVSS Base Score: 7.8
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE-122: Heap-based Buffer Overflow

Known Exploited Vulnerability (KEV) database: No

CVE-2024-2929 IMPACT

A memory corruption vulnerability could potentially allow a malicious user to insert unauthorized code to the software by corrupting the memory triggering an access violation. Once inside, the threat actor can run harmful code on the system. This affects the confidentiality, integrity, and availability of the product. To trigger this, the user would unwittingly need to open a malicious file shared by the threat actor.

CVSS Base Score: 7.8
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer

Known Exploited Vulnerability (KEV) database: No

CVE-2024-21918 IMPACT

A memory buffer vulnerability could potentially allow a malicious user to insert unauthorized code to the software by corrupting the memory and triggering an access violation. Once inside, the threat actor can run harmful code on the system. This affects the confidentiality, integrity, and availability of the product. To trigger this, the user would unwittingly need to open a malicious file shared by the threat actor.

CVSS Base Score: 7.8
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE-416: Use After Free

Known Exploited Vulnerability (KEV) database: No

CVE-2024-21919 IMPACT

An uninitialized pointer could potentially allow a malicious user to insert unauthorized code to the software by leveraging the pointer after it is properly. Once inside, the threat actor can run harmful code on the system. This affects the confidentiality, integrity, and availability of the product. To trigger this, the user would unwittingly need to open a malicious file shared by the threat actor.

CVSS Base Score: 7.8
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE-824: Access of Uninitialized Pointer

CVE-2024-21920 IMPACT

A memory buffer vulnerability might let a threat actor read beyond the intended memory boundaries. This could reveal sensitive information and even cause the application to crash, resulting in a denial-of-service condition. To trigger this, the user would unwittingly need to open a malicious file shared by the threat actor.

CVSS Base Score: 4.4
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L
CWE-125: Out-of-bounds Read

Known Exploited Vulnerability (KEV) database: No

Mitigations and Workarounds

Customers using the affected software are encouraged to apply the risk mitigations, if possible.

Do not open untrusted files from unknown sources.
For information on how to mitigate Security Risks on industrial automation control systems, we encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability.

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

ADDITIONAL RESOURCES