Arena® Simulation Vulnerabilities
Published Date: March 26, 2024
Last updated: August 5, 2025
Revision Number: 1.0
CVSS Score: 7.8
AFFECTED PRODUCTS AND SOLUTION
Affected Product |
CVE |
First Known in Software Version |
Corrected in Software Version |
Arena® Simulation Software |
CVE-2024-21912 |
16.00 |
|
CVE-2024-21913 |
|||
CVE-2024-2929 |
|||
CVE-2024-21918 |
|||
CVE-2024-21919 |
|||
CVE-2024-21920 |
16.00 |
|
SECURITY ISSUE DETAILS
These security issues were reported to Rockwell Automation by Michael Heinzl. Rockwell Automation uses the latest version of the CVSS scoring system to assess the following security issues.
CVE-2024-21912 IMPACT
An arbitrary code execution security issue could let a threat actor insert unauthorized code into the software. This is done by writing beyond the designated memory area. This causes an access violation. The threat actor could then run harmful code on the system. This affects the confidentiality, integrity, and availability of the product. To use this, the user would unknowingly need to open a corrupt file shared by the threat actor.
CVSS Base Score: 7.8
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE-787 Out-of-bounds Write
Known Exploited Vulnerability (KEV) database: No
CVE-2024-21913 IMPACT
A heap-based memory buffer overflow security issue could allow a threat actor to insert unauthorized code into the software. This is done by overstepping the memory boundaries, which triggers an access violation. A threat actor could then run harmful code on the system. This affects the confidentiality, integrity, and availability of the product. To use this, the user would unknowingly need to open a corrupt file shared by the threat actor.
CVSS Base Score: 7.8
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE-122: Heap-based Buffer Overflow
Known Exploited Vulnerability (KEV) database: No
CVE-2024-2929 IMPACT
A memory corruption security issue could allow a threat actor to insert unauthorized code to the software. This is done by corrupting the memory triggering an access violation. The threat actor could then run harmful code on the system. This affects the confidentiality, integrity, and availability of the product. To use this, the user would unknowingly need to open a corrupted file shared by the threat actor.
CVSS Base Score: 7.8
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer
Known Exploited Vulnerability (KEV) database: No
CVE-2024-21918 IMPACT
A memory buffer security issue could allow a threat actor to insert unauthorized code to the software. This is done by corrupting the memory and triggering an access violation. The threat actor could then run harmful code on the system. This affects the confidentiality, integrity, and availability of the product. To use this, the user would unknowingly need to open a corrupted file shared by the threat actor.
CVSS Base Score: 7.8
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE-416: Use After Free
Known Exploited Vulnerability (KEV) database: No
CVE-2024-21919 IMPACT
An arbitrary code execution vulnerability was located in memory location of this product. This could result in a threat actor leveraging a uninitialized pointer and passing it throughout the application. This could allow a threat actor to insert unauthorized code to the software resulting in undefined behaviors. The threat actor could then run harmful code on the system. This affects the confidentiality, integrity, and availability of the product. To use this, the user would unknowingly need to open a corrupted file shared by the threat actor.
CVSS Base Score: 7.8
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE-824: Access of Uninitialized Pointer
CVE-2024-21920 IMPACT
A memory buffer security issue could allow a threat actor read beyond the intended memory boundaries. This could reveal sensitive information and cause the application to crash. This would result in a denial-of-service condition. To use this, the user would unknowingly need to open a corrupted file shared by the threat actor.
CVSS Base Score: 4.4
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L
CWE-125: Out-of-bounds Read
Known Exploited Vulnerability (KEV) database: No
Mitigations and Workarounds
Customers using the affected software should use the risk mitigations and security best practices.
- Do not open untrusted files from unknown sources.
- For information on Security Risks for industrial automation control systems, customers should use our suggested security best practices to minimize the risks.
Customers can use Stakeholder-Specific Vulnerability Categorization to create more environment-specific categories.
ADDITIONAL RESOURCES
- CVE-2024-21912 JSON
- CVE-2024-21913 JSON
- CVE-2024-2929 JSON
- CVE-2024-21918 JSON
- CVE-2024-21919 JSON
- CVE-2024-21920 JSON
Glossary
Arbitrary Code Execution: an attacker's ability to run any commands or code of the attacker's choice on a target machine or in a target process
Denial-of-Service: malicious attempt to overwhelm a web property with traffic in order to disrupt its normal operations
Heap-based Memory Buffer Overflow: a type of buffer overflow that occurs in the heap data area. Memory on the heap is dynamically allocated at runtime and typically contains program data.
Known Exploited Vulnerability (KEV) database: an official list of security flaws that attackers have actively exploited
Memory Buffer: occurs when a program writes more data to a buffer than it can hold. This can lead to data corruption, program crashes, or unintended behavior
Memory Corruption: occurs when a flaw in software leads to the modification of memory in unintended ways, potentially causing unexpected behavior or providing avenues for exploitation
Uninitialized Pointer: occurs when a program accesses or uses a pointer that has not been initialized. If the pointer contains an uninitialized value, it might not point to a valid memory location, leading to unpredictable behavior and potential security vulnerabilities
