Loading

Arena® Simulation Vulnerabilities

Severity:
High,
Medium
Advisory ID:
SD1665
发布日期:
March 26, 2024
上次更新时间:
October 16, 2024
Revision Number:
1.0
Known Exploited Vulnerability (KEV):
否
Corrected:
是
Workaround:
否
CVE IDs
CVE-2024-21912,
CVE-2024-21913,
CVE-2024-2929,
CVE-2024-21918,
CVE-2024-21919,
CVE-2024-21920
下载
The following link(s) provide the security advisory in Vulnerability Exploitability Exchange format:
JSON
JSON
JSON
JSON
JSON
JSON
摘要
Arena® Simulation Vulnerabilities

Arena® Simulation Vulnerabilities
Published Date
: March 26, 2024
Last updated: March 26, 2024
Revision Number: 1.0
CVSS Score: 7.8

AFFECTED PRODUCTS AND SOLUTION

Affected Product

CVE

First Known in Software Version

Corrected in Software Version

Arena® Simulation Software

CVE-2024-21912

16.00

16.20.03

CVE-2024-21913

CVE-2024-2929

CVE-2024-21918

CVE-2024-21919

CVE-2024-21920

16.00

  • This issue is within the Microsoft dynamic library link file and will not be remediated.  
  • Do not open untrusted files from unknown sources to mitigate the issue

VULNERABILITY DETAILS

These vulnerabilities were reported to Rockwell Automation by Michael Heinzl.  Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

 

CVE-2024-21912 IMPACT

An arbitrary code execution vulnerability could let a malicious user insert unauthorized code into the software. This is done by writing beyond the designated memory area, which causes an access violation. Once inside, the threat actor can run harmful code on the system. This affects the confidentiality, integrity, and availability of the product. To trigger this, the user would unwittingly need to open a malicious file shared by the threat actor.

CVSS Base Score: 7.8
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE-787 Out-of-bounds Write

Known Exploited Vulnerability (KEV) database: No

 

CVE-2024-21913 IMPACT

A heap-based memory buffer overflow vulnerability could potentially allow a malicious user to insert unauthorized code into the software by overstepping the memory boundaries, which triggers an access violation.  Once inside, the threat actor can run harmful code on the system. This affects the confidentiality, integrity, and availability of the product. To trigger this, the user would unwittingly need to open a malicious file shared by the threat actor.

CVSS Base Score: 7.8
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE-122: Heap-based Buffer Overflow

Known Exploited Vulnerability (KEV) database: No

 

CVE-2024-2929 IMPACT

A memory corruption vulnerability could potentially allow a malicious user to insert unauthorized code to the software by corrupting the memory triggering an access violation.  Once inside, the threat actor can run harmful code on the system. This affects the confidentiality, integrity, and availability of the product. To trigger this, the user would unwittingly need to open a malicious file shared by the threat actor.

CVSS Base Score: 7.8
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer

Known Exploited Vulnerability (KEV) database: No

 

CVE-2024-21918 IMPACT

A memory buffer vulnerability could potentially allow a malicious user to insert unauthorized code to the software by corrupting the memory and triggering an access violation.  Once inside, the threat actor can run harmful code on the system. This affects the confidentiality, integrity, and availability of the product. To trigger this, the user would unwittingly need to open a malicious file shared by the threat actor.

CVSS Base Score: 7.8
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE-416: Use After Free

Known Exploited Vulnerability (KEV) database: No

 

CVE-2024-21919 IMPACT

An uninitialized pointer could potentially allow a malicious user to insert unauthorized code to the software by leveraging the pointer after it is properly.  Once inside, the threat actor can run harmful code on the system. This affects the confidentiality, integrity, and availability of the product. To trigger this, the user would unwittingly need to open a malicious file shared by the threat actor.

CVSS Base Score: 7.8
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE-824: Access of Uninitialized Pointer

 

CVE-2024-21920 IMPACT

A memory buffer vulnerability might let a threat actor read beyond the intended memory boundaries. This could reveal sensitive information and even cause the application to crash, resulting in a denial-of-service condition. To trigger this, the user would unwittingly need to open a malicious file shared by the threat actor.

CVSS Base Score: 4.4
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L
CWE-125: Out-of-bounds Read

Known Exploited Vulnerability (KEV) database: No

 

Mitigations and Workarounds

Customers using the affected software are encouraged to apply the risk mitigations, if possible.

  • Do not open untrusted files from unknown sources.
  • For information on how to mitigate Security Risks on industrial automation control systems, we encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability.

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

ADDITIONAL RESOURCES

  • CVE-2024-21912 JSON
  • CVE-2024-21913 JSON
  • CVE-2024-2929 JSON
  • CVE-2024-21918 JSON
  • CVE-2024-21919 JSON
  • CVE-2024-21920 JSON
Rockwell Automation Home
Copyright ©2022 Rockwell Automation, Inc.
  1. Chevron LeftChevron Left Rockwell Automation 主页 Chevron RightChevron Right
  2. Chevron LeftChevron Left Trust Center Chevron RightChevron Right
  3. Chevron LeftChevron Left Industrial Security Adv Chevron RightChevron Right
  4. Chevron LeftChevron Left Industrial Security Advisory Detail Chevron RightChevron Right
请更新您的Cookies偏好以继续.
此功能需要Cookies来增强您的体验。请更新您的系统偏好以允许使用这些Cookies:
  • 社交媒体Cookies
  • 功能Cookies
  • 性能 Cookies
  • 市场营销Cookies
  • 所有Cookies
您可以随时更新您的系统偏好。如需了解更多信息,请参阅我们的 {0} 隐私政策
CloseClose