PN1084 | Multiple Vulnerabilities in Arena Simulation Software

The Zero Day Initiative (ZDI), part of the information security company Trend Micro, reported multiple potential vulnerabilities in Arena Simulation software. These vulnerabilities, if successfully exploited, may allow a remote, unauthenticated attacker to cause denial of service conditions or execute arbitrary code on a system after using previously freed memory.

Successful exploitation of these vulnerabilities relies on a social engineering attack.

Special thanks to Kimiya of 9SG Security team working with ZDI to find these vulnerabilities.

Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their networks. Additional details relating to the discovered vulnerabilities, including affected products and recommended countermeasures, are provided herein.

Arena® Simulation Software for Manufacturing, Cat. 9502-Ax, Versions 16.00.00 and earlier.

CVE-2019-13510: Denial-of-service file parsing use-after-free potential remote code execution vulnerabilities
If a maliciously crafted Arena® file, also known as a .doe file type, is sent to an unsuspecting victim who is tricked, via social-engineering techniques, into opening the file in Arena®, the software application will crash and result in the potential loss of any unsaved data. The victim will need to restart Arena® to continue normal use. A threat actor may additionally design their malicious file to execute their own code when it is opened by the targeted user, which could result in compromise of the victim’s machine depending on the content of the threat actor’s code.

Note: There are also valid reasons why a file may not open in Arena®. To learn more about these circumstances, please see RAid#1073702.

CVSS v3.1 Base Score: 8.6/10[HIGH]
CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H.

CVE ID	ZDI Report ID
CVE-2019-13510	ZDI-CAN-8012 ZDI-CAN-8013 ZDI-CAN-8015 ZDI-CAN-8016 ZDI-CAN-8017 ZDI-CAN-8060 ZDI-CAN-8062 ZDI-CAN-8096 ZDI-CAN-8174 ZDI-CAN-8600 ZDI-CAN-8623 ZDI-CAN-8624 ZDI-CAN-8683 ZDI-CAN-10129 ZDI-CAN-10186 ZDI-CAN-10373 ZDI-CAN-10374 ZDI-CAN-10470 ZDI-CAN-10554 ZDI-CAN-10555 ZDI-CAN-10556 ZDI-CAN-10557 ZDI-CAN-10559

CVE-2019-13511: Use-after-free Information disclosure vulnerability
If a maliciously crafted  .doe file type, is sent to an unsuspecting victim who is tricked, via social-engineering techniques, into opening the file in Arena®, information from the targeted workstation could be accessed. However, the threat actor cannot target and retrieve data of their choosing.

CVSS v3.1 Base Score: 3.3/10[LOW]
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N.

CVE ID	ZDI Report ID
CVE-2019-13511	ZDI-CAN-8014

CVE-2019-13519: Denial-of-service file parsing type confusion vulnerability
If a maliciously crafted  .doe file type, is sent to an unsuspecting victim who is tricked, via social-engineering techniques, into opening the file in Arena®, the software application will crash and result in the potential loss of any unsaved data. The victim will need to restart Arena® to continue normal use. A threat actor may additionally design their malicious file to execute their own code when it is opened by the targeted user, which could result in compromise of the victim’s machine depending on the content of the threat actor’s code.

CVSS v3.1 Base Score: 8.6/10[HIGH]
CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

CVE ID	ZDI Report ID
CVE-2019-13519	ZDI-CAN-8175

CVE-2019-13521: Denial-of-service file type insufficient UI vulnerability
If a maliciously crafted Arena® file, also known as a .doe file type, is sent to an unsuspecting victim who is tricked, via social-engineering techniques, into opening the file in Arena®, the software application will crash and result in the potential loss of any unsaved data. The victim will need to restart Arena® to continue normal use. A threat actor may additionally design their malicious file to execute their own code when it is opened by the targeted user, which could result in compromise of the victim’s machine depending on the content of the threat actor’s code.

CVSS v3.1 Base Score: 7.8/10[HIGH]
CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVE ID	ZDI Report ID
CVE-2019-13521	ZDI-CAN-8134

CVE-2019-13527: Denial-of-service conditions due to uninitialized pointer dereference
If a maliciously crafted Arena® file, also known as a .doe file type, is sent to an unsuspecting victim who is tricked, via social-engineering techniques, into opening the file in Arena®, the software application will crash and result in the potential loss of any unsaved data. The victim will need to restart Arena® to continue normal use. The issue results from the lack of proper initialization of a pointer prior to accessing it. A threat actor may additionally design their malicious file to execute their own code when it is opened by the targeted user, which could result in compromise of the victim’s machine depending on the content of the threat actor’s code.

CVSS v3.1 Base Score: 7.8/10[HIGH]
CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVE ID	ZDI Report ID
CVE-2019-13527	ZDI-CAN-8682

Customers using the affected versions of Arena® are encouraged to install the updated revision of software that addresses the associated risk. Customers who are unable to update are directed to the risk mitigation strategies provided below, and are encouraged, when possible, to combine these with secondary mitigations.

1. Customers using Arena® v16.00.00 are encouraged to implement patch v16.00.01 to address these vulnerabilities (Download).

2. Do not open untrusted .doe files with Arena® Simulation Software.
3. Run all software as User, not as an Administrator, to minimize the impact of malicious code on the infected system.
4. Use trusted software, software patches, anti-virus/anti-malware programs and interact only with trusted websites and attachments.
5. Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.
6. Refer to 546987 - Rockwell Automation Customer Hardening Guidelines for our latest published guidelines for PC hardening and software security.
7. Use of Microsoft AppLocker or other similar Whitelisting application can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at https://rockwellautomation.custhelp.com/app/answers/detail/a_id/546989.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: 54102 - Industrial Security Advisory Index.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com). Please direct all media inquiries to Kolve Byrd (kabyrd@ra.rockwell.com).

ADDITIONAL LINKS

• 54102 - Industrial Security Advisory Index
• Industrial Firewalls within a CPwE Architecture
• Deploying Industrial Firewalls within a CPwE Architecture Design and Implementation Guide