Loading

PN1084 | Multiple Vulnerabilities in Arena Simulation Software

Severity:
Low,
High
Advisory ID:
PN1084
Date de publication:
June 08, 2020
Date de la dernière mise à jour:
June 08, 2020
Revision Number:
1.2
Known Exploited Vulnerability (KEV):
Non
Corrected:
Non
Workaround:
Non
CVE IDs
CVE-2019-13527,
CVE-2019-13510,
CVE-2019-13519,
CVE-2019-13511,
CVE-2019-13521
Résumé
Multiple Vulnerabilities in Arena Simulation Software

Revision History
Revision Number
1.0
Revision History
Version 1.0 - August, 1 2019. Initial Release
Revision History
Revision Number
1.1
Revision History
Version 1.1 - September 19, 2019. Updated Vulnerability Reports.
Revision History
Revision Number
1.2
Revision History
Version 1.2 - June 8, 2020. Updated Vulnerability Reports.

Executive Summary

The Zero Day Initiative (ZDI), part of the information security company Trend Micro, reported multiple potential vulnerabilities in Arena Simulation software. These vulnerabilities, if successfully exploited, may allow a remote, unauthenticated attacker to cause denial of service conditions or execute arbitrary code on a system after using previously freed memory.

Successful exploitation of these vulnerabilities relies on a social engineering attack.

Special thanks to Kimiya of 9SG Security team working with ZDI to find these vulnerabilities.

Customers using affected versions of this software are encouraged to evaluate the mitigations provided below and apply the appropriate mitigations to their networks. Additional details relating to the discovered vulnerabilities, including affected products and recommended countermeasures, are provided herein.

Affected Products

Arena® Simulation Software for Manufacturing, Cat. 9502-Ax, Versions 16.00.00 and earlier.

Vulnerability Details

CVE-2019-13510: Denial-of-service file parsing use-after-free potential remote code execution vulnerabilities
If a maliciously crafted Arena® file, also known as a .doe file type, is sent to an unsuspecting victim who is tricked, via social-engineering techniques, into opening the file in Arena®, the software application will crash and result in the potential loss of any unsaved data. The victim will need to restart Arena® to continue normal use. A threat actor may additionally design their malicious file to execute their own code when it is opened by the targeted user, which could result in compromise of the victim’s machine depending on the content of the threat actor’s code.

Note: There are also valid reasons why a file may not open in Arena®. To learn more about these circumstances, please see RAid#1073702.

CVSS v3.1 Base Score: 8.6/10[HIGH]
CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H.
CVE ID ZDI Report ID
CVE-2019-13510 ZDI-CAN-8012
ZDI-CAN-8013
ZDI-CAN-8015
ZDI-CAN-8016
ZDI-CAN-8017
ZDI-CAN-8060
ZDI-CAN-8062
ZDI-CAN-8096
ZDI-CAN-8174
ZDI-CAN-8600
ZDI-CAN-8623
ZDI-CAN-8624
ZDI-CAN-8683
ZDI-CAN-10129
ZDI-CAN-10186
ZDI-CAN-10373
ZDI-CAN-10374
ZDI-CAN-10470
ZDI-CAN-10554
ZDI-CAN-10555
ZDI-CAN-10556
ZDI-CAN-10557
ZDI-CAN-10559


CVE-2019-13511: Use-after-free Information disclosure vulnerability
If a maliciously crafted  .doe file type, is sent to an unsuspecting victim who is tricked, via social-engineering techniques, into opening the file in Arena®, information from the targeted workstation could be accessed. However, the threat actor cannot target and retrieve data of their choosing.

CVSS v3.1 Base Score: 3.3/10[LOW]
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N.
CVE ID ZDI Report ID
CVE-2019-13511 ZDI-CAN-8014

CVE-2019-13519: Denial-of-service file parsing type confusion vulnerability
If a maliciously crafted  .doe file type, is sent to an unsuspecting victim who is tricked, via social-engineering techniques, into opening the file in Arena®, the software application will crash and result in the potential loss of any unsaved data. The victim will need to restart Arena® to continue normal use. A threat actor may additionally design their malicious file to execute their own code when it is opened by the targeted user, which could result in compromise of the victim’s machine depending on the content of the threat actor’s code.

CVSS v3.1 Base Score: 8.6/10[HIGH]
CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
CVE ID ZDI Report ID
CVE-2019-13519 ZDI-CAN-8175

CVE-2019-13521: Denial-of-service file type insufficient UI vulnerability
If a maliciously crafted Arena® file, also known as a .doe file type, is sent to an unsuspecting victim who is tricked, via social-engineering techniques, into opening the file in Arena®, the software application will crash and result in the potential loss of any unsaved data. The victim will need to restart Arena® to continue normal use. A threat actor may additionally design their malicious file to execute their own code when it is opened by the targeted user, which could result in compromise of the victim’s machine depending on the content of the threat actor’s code.

CVSS v3.1 Base Score: 7.8/10[HIGH]
CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVE ID ZDI Report ID
CVE-2019-13521 ZDI-CAN-8134

CVE-2019-13527: Denial-of-service conditions due to uninitialized pointer dereference
If a maliciously crafted Arena® file, also known as a .doe file type, is sent to an unsuspecting victim who is tricked, via social-engineering techniques, into opening the file in Arena®, the software application will crash and result in the potential loss of any unsaved data. The victim will need to restart Arena® to continue normal use. The issue results from the lack of proper initialization of a pointer prior to accessing it. A threat actor may additionally design their malicious file to execute their own code when it is opened by the targeted user, which could result in compromise of the victim’s machine depending on the content of the threat actor’s code.

CVSS v3.1 Base Score: 7.8/10[HIGH]
CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVE ID ZDI Report ID
CVE-2019-13527 ZDI-CAN-8682

Risk Mitigation & User Action

Customers using the affected versions of Arena® are encouraged to install the updated revision of software that addresses the associated risk. Customers who are unable to update are directed to the risk mitigation strategies provided below, and are encouraged, when possible, to combine these with secondary mitigations.

  1. Customers using Arena® v16.00.00 are encouraged to implement patch v16.00.01 to address these vulnerabilities (Download).

  2. Do not open untrusted .doe files with Arena® Simulation Software.
  3. Run all software as User, not as an Administrator, to minimize the impact of malicious code on the infected system.
  4. Use trusted software, software patches, anti-virus/anti-malware programs and interact only with trusted websites and attachments.
  5. Employ training and awareness programs to educate users on the warning signs of a phishing or social engineering attack.
  6. Refer to 546987 - Rockwell Automation Customer Hardening Guidelines for our latest published guidelines for PC hardening and software security.
  7. Use of Microsoft AppLocker or other similar Whitelisting application can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at https://rockwellautomation.custhelp.com/app/answers/detail/a_id/546989.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to complement security solutions.

Refer to the Network Services Overview Page for information on network and security services for Rockwell Automation to enable assessment, design, implementation and management of validated, secure network architectures.

We also recommend that concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at: 54102 - Industrial Security Advisory Index.

Rockwell Automation remains committed to making security enhancements to our systems in the future. For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web site.

Requests for additional information can be sent to the RASecure Inbox (rasecure@ra.rockwell.com). Please direct all media inquiries to Kolve Byrd (kabyrd@ra.rockwell.com).

ADDITIONAL LINKS

  • 54102 - Industrial Security Advisory Index
  • Industrial Firewalls within a CPwE Architecture
  • Deploying Industrial Firewalls within a CPwE Architecture Design and Implementation Guide

General Security Guidelines

Rockwell Automation Home
Copyright ©2022 Rockwell Automation, Inc.
  1. Chevron LeftChevron Left Rõôckwéêll Æýýtõômåätíîõôn Hõôméê Chevron RightChevron Right
  2. Chevron LeftChevron Left Trust Center Chevron RightChevron Right
  3. Chevron LeftChevron Left Industrial Security Adv Chevron RightChevron Right
  4. Chevron LeftChevron Left Industrial Security Advisory Detail Chevron RightChevron Right
Veuillez mettre à jour vos préférences en matière de cookies pour continuer.
Cette fonctionnalité nécessite des cookies pour améliorer votre expérience. Veuillez mettre à jour vos préférences pour autoriser ces cookies:
  • Cookies de réseaux sociaux
  • Cookies fonctionnels
  • Cookies de performances
  • Cookies marketing
  • Tous les cookies
Vous pouvez mettre à jour vos préférences à tout moment. Pour plus d'informations, veuillez consulter notre politique de confidentialité
CloseClose