Rockwell Software Arena 9.0

Posted on -

EXECUTIVE SUMMARY. CVSS v3 8.6. ATTENTION: Low skill level to exploit. Vendor: Rockwell Automation. Equipment: Arena Simulation Software——— Begin Update A Part 1 of 3 ———.

Vulnerabilities: Use After Free, Information Exposure, Type Confusion, Insufficient UI Warning of Dangerous Operations——— End Update A Part 1 of 3 ——— 2. UPDATE INFORMATIONThis updated advisory is a follow-up to the original advisory titled ICSA-19-213-05 Rockwell Automation Arena Simulation Software that was published August 1, 2019, on the ICS webpage on us-cert.gov.

Rockwell Arena Simulation Software

Software

RISK EVALUATIONSuccessful exploitation of these vulnerabilities could allow an attacker to cause a current Arena session to fault or enter a denial-of-service (DoS) state, allowing the attacker to run arbitrary code. TECHNICAL DETAILS 4.1 AFFECTED PRODUCTSThe following versions of Arena Simulation, an event simulation and automation software platform, are affected:. Arena Simulation Software for Manufacturing, Cat. 9502-Ax, Versions 16.00.00 and earlier4.2 VULNERABILITY OVERVIEW 4.2.1A maliciously crafted Arena file opened by an unsuspecting user may result in the application crashing or the execution of arbitrary code.

Has been assigned to this vulnerability. A CVSS v3 base score of 8.6 has been assigned; the CVSS vector string is.4.2.2A maliciously crafted Arena file opened by an unsuspecting user may result in the limited exposure of information related to the targeted workstation.has been assigned to this vulnerability. A CVSS v3 base score of 3.3 has been assigned; the CVSS vector string is.——— Begin Update A Part 2 of 3 ——— 4.2.3A maliciously crafted Arena file opened by an unsuspecting user may result in the limited exposure of information related to the targeted workstation.has been assigned to this vulnerability.

A CVSS v3 base score of 7.8 has been assigned; the CVSS vector string is. 4.2.4A maliciously crafted Arena file opened by an unsuspecting user may result in the limited exposure of information related to the targeted workstation.has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been assigned; the CVSS vector string is.——— Begin Update A Part 2 of 3 ——— 4.3 BACKGROUND. CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing.

COUNTRIES/AREAS DEPLOYED: Worldwide. COMPANY HEADQUARTERS LOCATION: United States4.4 RESEARCHERkimiya of 9SG Security Team working with Trend Micro’s Zero Day Initiative reported these vulnerabilities to CISA.