PN1654 | Security Advisory | Rockwell Automation

Severity:

High

Advisory ID:

PN1654

Published Date:

October 31, 2023

Last Updated:

December 10, 2024

Revision Number:

1.0

Known Exploited Vulnerability (KEV):

Corrected:

Yes

Workaround:

CVE IDs

CVE-2023-27854,

CVE-2023-27858

Downloads

The following link(s) provide the security advisory in Vulnerability Exploitability Exchange format:

JSON

Summary

Arena® Simulation Buffer Overflow Vulnerabilities

Revision History

Revision Number

1.0

Revision History

Version 1.0 – October 27, 2023

Affected Products

Affected Product (automated)	First Known in Software Version	Corrected in Software Version
Arena® Simulation Software	V16.00	16.20.02

Vulnerability Details

These vulnerabilities were reported to Rockwell Automation by Michael Heinzl. Rockwell Automation used the latest version of the CVSS scoring system to assess the following vulnerabilities.

CVE-2023-27854 IMPACT
An arbitrary code execution vulnerability was reported to Rockwell Automation that could potentially allow a malicious user to commit unauthorized arbitrary code to the software by using a memory buffer overflow. The threat-actor could then execute malicious code on the system affecting the confidentiality, integrity, and availability of the product. The user would need to open a malicious file provided to them by the attacker for the code to execute.

CVSS Base Score: 7.8
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE-125 Out-of-bounds Read

Known Exploited Vulnerability (KEV) database: No

CVE-2023-27858 IMPACT
An arbitrary code execution vulnerability could potentially allow a malicious user to commit unauthorized code to the software by using a uninitialized pointer in the application. The threat-actor could then execute malicious code on the system affecting the confidentiality, integrity, and availability of the product. The user would need to open a malicious file provided to them by the attacker for the code to execute.

CVSS Base Score: 7.8
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE-824: Access of Uninitialized Pointer

Known Exploited Vulnerability (KEV) database: No

Customers can use Stakeholder-Specific Vulnerability Categorization to generate more environment-specific prioritization.

Risk Mitigation & User Action

Customers using the affected software are encouraged to apply the risk mitigations, if possible.

Upgrade to 16.20.02 which has been patched to mitigate these issues, by referencing BF29820 - Patch: ZDI Security Patch & Windows 11 updates , Arena 16.2.
Implement our QA43240 - Recommended Security Guidelines from Rockwell Automation to minimize risk of the vulnerability.

Arena® Simulation Buffer Overflow Vulnerabilities

Revision History

Affected Products

Vulnerability Details

Risk Mitigation & User Action

Additional Resources