Rockwell Automation created a new version to handle use after free and information exposure vulnerabilities in its Arena Simulation Software, according to a report with NCCIC.
Successful exploitation of these vulnerabilities, discovered by kimiya of 9SG Security Team working with Trend Micro’s Zero Day Initiative, could allow an attacker to cause a current Arena session to fault or enter a denial-of-service (DoS) state, allowing the attacker to run arbitrary code.
An event simulation and automation software platform, Arena Simulation Software for Manufacturing, Cat. 9502-Ax, Versions 16.00.00 and earlier suffer from the issues.
In one vulnerability, a maliciously crafted Arena file opened by an unsuspecting user may result in the application crashing or the execution of arbitrary code.
CVE-2019-13510 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 8.6.
In addition, a maliciously crafted Arena file opened by an unsuspecting user may result in the limited exposure of information related to the targeted workstation.
CVE-2019-13511 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 3.3.
The product sees use mainly in the critical manufacturing sector. It also sees action on a global basis.
No known public exploits specifically target these vulnerabilities. This vulnerability is not exploitable remotely. However, an attacker with low skill level could leverage the vulnerabilities.
Rockwell Automation released Version 16.00.01 of Arena Simulation Software to address the reported vulnerabilities.
Rockwell Automation also recommends users:
• Do not open untrusted .doe files with Arena Simulation Software
• Ensure all software is run as a User and not as an Administrator to minimize the impact of malicious code on the infected system
• Use trusted software, software patches, anti-virus/anti-malware programs, and interact only with trusted websites and attachments
For more information see the Rockwell Automation security advisory (login required).