Loading

AADvance® Trusted® SIS Workstation contains multiple 7-ZIP Vulnerabilities

Severity:
High
Advisory ID:
SD1697
Published Date:
September 12, 2024
Last Updated:
November 11, 2024
Revision Number:
1.0
Known Exploited Vulnerability (KEV):
No
Corrected:
Yes
Workaround:
No
CVE IDs
CVE-2023-31102,
CVE-2023-40481
Downloads
The following link(s) provide the security advisory in Vulnerability Exploitability Exchange format:
CVE-2023-31102
Summary
AADvance® Trusted® SIS Workstation contains multiple 7-ZIP Vulnerabilities

Published Date: 9/12/2024
Last Updated: 9/12/2024
Revision Number: 1.0
CVSS Score: v3.1: 7.8/10

The security of our products is important to us as your chosen industrial automation supplier. This anomaly was found internally during routine testing and is being reported based on our commitment to customer transparency and to improve their business or production environments.

AFFECTED PRODUCTS AND SOLUTION

Affected Product

Affected Software Versions

Corrected in Software Version

AADvance® Trusted® SIS Workstation

2.00.01 and earlier

2.00.02

VULNERABILITY DETAILS

Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2023-31102 IMPACT

A vulnerability exists which could allow remote threat actors to execute arbitrary code on affected installations of 7-Zip. User interaction is required to exploit this vulnerability because the target must visit a malicious page or open a malicious file.

The specific vulnerability exists in the analysis of 7Z files. The problem results from the lack of proper validation of user-supplied data, which can lead to an integer underflow before writing to memory. A threat actor can exploit this vulnerability to execute code in the context of the current process.

CVSS 3.1 Base Score: 7.8
CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE:  CWE-20: Improper Input Validation
Known Exploited Vulnerability (KEV) database: No

CVE-2023-40481 IMPACT

 A SquashFS File Parsing Out-Of-Bounds Write Remote Code Execution exists in 7-Zip that allows remote threat actors to execute arbitrary code on affected installations of 7-Zip. User interaction is also required to exploit this vulnerability, as the target must visit a malicious page or open a malicious file.

The specific vulnerability arises during the analysis of SQFS files due to the lack of proper validation of user-supplied data. This can cause a write operation to exceed the end of an allocated buffer. A threat actor can exploit this vulnerability to execute code in the context of the current process.

CVSS 3.1 Base Score: 7.8
CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE:  CWE-20: Improper Input Validation
Known Exploited Vulnerability (KEV) database: No

Mitigations and Workarounds
Customers using the affected software are encouraged to apply the risk mitigations, if possible.

·         Do not archive or restore projects from unknown sources.

·         For information on how to mitigate Security Risks on industrial automation control systems, we encourage customers to implement our suggested security best practices

to minimize the risk of the vulnerability.

Customers can use Stakeholder-Specific Vulnerability Categorization

to generate more environment-specific prioritization.

ADDITIONAL RESOURCES

·         JSON CVE-2023-31102

·         JSON CVE-2023-40481

Copyright ©2022 Rockwell Automation, Inc.