Loading

Arena® Simulation Buffer Overflow Vulnerabilities

Severity:
High
Advisory ID:
PN1654
发布日期:
October 31, 2023
上次更新时间:
December 10, 2024
Revision Number:
1.0
Known Exploited Vulnerability (KEV):
否
Corrected:
是
Workaround:
否
CVE IDs
CVE-2023-27854,
CVE-2023-27858
下载
The following link(s) provide the security advisory in Vulnerability Exploitability Exchange format:
CVE-2023-27854
CVE-2023-27858
摘要
Arena® Simulation Buffer Overflow Vulnerabilities

Revision History

Revision Number

1.0

Revision History

Version 1.0 – October 27, 2023

Affected Products

Affected Product (automated) First Known in Software Version Corrected in Software Version
Arena® Simulation Software V16.00 16.20.02

Vulnerability Details

These vulnerabilities were reported to Rockwell Automation by Michael Heinzl.  Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2023-27854 IMPACT
An arbitrary code execution vulnerability was reported to Rockwell Automation that could potentially allow a malicious user to commit unauthorized arbitrary code to the software by using a memory buffer overflow.  The threat-actor could then execute malicious code on the system affecting the confidentiality, integrity, and availability of the product.  The user would need to open a malicious file provided to them by the attacker for the code to execute.

CVSS Base Score: 7.8
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE-125 Out-of-bounds Read

Known Exploited Vulnerability (KEV) database: No

CVE-2023-27858 IMPACT
An arbitrary code execution vulnerability could potentially allow a malicious user to commit unauthorized code to the software by using a uninitialized pointer in the application.  The threat-actor could then execute malicious code on the system affecting the confidentiality, integrity, and availability of the product.  The user would need to open a malicious file provided to them by the attacker for the code to execute.

CVSS Base Score: 7.8
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE-824: Access of Uninitialized Pointer

Known Exploited Vulnerability (KEV) database: No

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

Risk Mitigation & User Action

Customers using the affected software are encouraged to apply the risk mitigations, if possible.

  • Upgrade to 16.20.02 which has been patched to mitigate these issues, by referencing BF29820 - Patch: ZDI Security Patch & Windows 11 updates , Arena 16.2.
  • Implement our QA43240 - Recommended Security Guidelines from Rockwell Automation to minimize risk of the vulnerability.

Additional Resources

  • CVE-2023-27854 JSON
  • CVE-2023-27858 JSON
Rockwell Automation Home
Copyright ©2022 Rockwell Automation, Inc.
  1. Chevron LeftChevron Left Rockwell Automation 主页 Chevron RightChevron Right
  2. Chevron LeftChevron Left Trust Center Chevron RightChevron Right
  3. Chevron LeftChevron Left Industrial Security Adv Chevron RightChevron Right
  4. Chevron LeftChevron Left Industrial Security Advisory Detail Chevron RightChevron Right
请更新您的Cookies偏好以继续.
此功能需要Cookies来增强您的体验。请更新您的系统偏好以允许使用这些Cookies:
  • 社交媒体Cookies
  • 功能Cookies
  • 性能 Cookies
  • 市场营销Cookies
  • 所有Cookies
您可以随时更新您的系统偏好。如需了解更多信息,请参阅我们的 隐私政策
CloseClose