Revision Number: 2
CVSS Score: v3.1: 7.8, v4.0 8.5
AFFECTED PRODUCTS AND SOLUTION
Affected Product |
CVE |
Affected Software Version |
Corrected in Software Version |
Software - Arena
|
CVE-2024-11155 |
All versions 16.20.00 and prior |
V16.20.06 and later |
CVE-2044-11156
|
All versions 16.20.03 and prior |
V16.20.06 and later |
|
CVE-2024-11158
|
All versions 16.20.00 and prior |
V16.20.06 and later |
|
All versions 16.20.05 and prior |
V16.20.06 and later
|
||
CVE-2024-11157
|
All versions 16.20.06 and prior |
V16.20.07 and later
|
|
CVE-2024-12175
|
All versions 16.20.06 and prior |
V16.20.07 and later |
|
Software – Arena® 32 bit |
|
All versions 16.20.07 and prior |
n/a – see mitigations |
CVE-2024-11364
|
All versions 16.20.06 and prior |
V16.20.07 and later |
VULNERABILITY DETAILS
Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities. The following vulnerabilities were reported by ZDI (Zero Day Initiative).
CVE-2024-11155 IMPACT
A “use after free” code execution vulnerability exists in the affected products that could allow a threat actor to craft a DOE file and force the software to use a resource that was already used. If exploited, a threat actor could leverage this vulnerability to execute arbitrary code. To exploit this vulnerability, a legitimate user must execute the malicious code crafted by the threat actor.
CVSS 3.1 Base Score: 7.8
CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVSS 4.0 Base Score: 8.5
CVSS 4.0 Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CWE: CWE-416 Use After Free
Known Exploited Vulnerability (KEV) database: No
CVE-2024-11156 IMPACT
An “out of bounds write” code execution vulnerability exists in the affected products that could allow a threat actor to write beyond the boundaries of allocated memory in a DOE file. If exploited, a threat actor could leverage this vulnerability to execute arbitrary code. To exploit this vulnerability, a legitimate user must execute the malicious code crafted by the threat actor.
CVSS 3.1 Base Score: 7.8
CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVSS 4.0 Base Score: 8.5
CVSS 4.0 Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CWE: CWE-787 Out-of-bounds Write
Known Exploited Vulnerability (KEV) database: No
CVE-2024-11158 IMPACT
An “uninitialized variable” code execution vulnerability exists in the affected products that could allow a threat actor to craft a DOE file and force the software to access a variable before it being initialized. If exploited, a threat actor could leverage this vulnerability to execute arbitrary code. To exploit this vulnerability, a legitimate user must execute the malicious code crafted by the threat actor.
CVSS 3.1 Base Score: 7.8
CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVSS 4.0 Base Score: 8.5
CVSS 4.0 Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CWE: CWE-665 Improper Initialization
Known Exploited Vulnerability (KEV) database: No
CVE-2024-12130 IMPACT
An “out of bounds read” code execution vulnerability exists in the affected products that could allow a threat actor to craft a DOE file and force the software to read beyond the boundaries of an allocated memory. If exploited, a threat actor could leverage this vulnerability to execute arbitrary code. To exploit this vulnerability, a legitimate user must execute the malicious code crafted by the threat actor.
CVSS 3.1 Base Score: 7.8
CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVSS 4.0 Base Score: 8.5
CVSS 4.0 Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CWE: CWE-125: Out-of-bounds Read
Known Exploited Vulnerability (KEV) database: No
CVE-2024-11157
A third-party vulnerability exists in the affected products that could allow a threat actor to write beyond the boundaries of allocated memory in a DOE file. If exploited, a threat actor could leverage this vulnerability to execute arbitrary code. To exploit this vulnerability, a legitimate user must execute the malicious code crafted by the threat actor.
CVSS 3.1 Base Score: 7.8
CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVSS 4.0 Base Score: 8.5
CVSS 4.0 Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CWE: CWE-787 Out-of-bounds Write
Known Exploited Vulnerability (KEV) database: No
A third-party vulnerability exists in the affected products that could allow a threat actor to write beyond the boundaries of allocated memory in a DOE file. If exploited, a threat actor could leverage this vulnerability to execute arbitrary code. To exploit this vulnerability, a legitimate user must execute the malicious code crafted by the threat actor.
CVSS 3.1 Base Score: 7.8
CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVSS 4.0 Base Score: 8.5
CVSS 4.0 Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CWE: CWE-1395 Dependency on third-party Component
Known Exploited Vulnerability (KEV) database: No
CVE-2024-11364
Another “uninitialized variable” code execution vulnerability exists in the affected products that could allow a threat actor to craft a DOE file and force the software to access a variable prior to it being initialized. If exploited, a threat actor could leverage this vulnerability to execute arbitrary code. To exploit this vulnerability, a legitimate user must execute the malicious code crafted by the threat actor.
CVSS 3.1 Base Score: 7.8
CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVSS 4.0 Base Score: 8.5
CVSS 4.0 Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CWE: CWE-1395 Dependency on third-party Component
Known Exploited Vulnerability (KEV) database: No
CVE-2024-12175
Another “use after free” code execution vulnerability exists in the affected products that could allow a threat actor to craft a DOE file and force the software to use a resource that was already used. If exploited, a threat actor could leverage this vulnerability to execute arbitrary code. To exploit this vulnerability, a legitimate user must execute the malicious code crafted by the threat actor.
CVSS 3.1 Base Score: 7.8
CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVSS 4.0 Base Score: 8.5
CVSS 4.0 Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CWE: CWE-416 Use After Free
Known Exploited Vulnerability (KEV) database: No
Mitigations and Workarounds
Customers using the affected software are encouraged to apply these risk mitigations, if possible.
- Do not load untrusted Arena® model files.
- Hold the control key down when loading files to help prevent the VBA file stream from loading.
For information on how to mitigate Security Risks on industrial automation control systems, we encourage customers to implement our suggested security best practices to minimize the risk of the vulnerability.
Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.
