Loading

Multiple Code Execution Vulnerabilities in Arena®

Severity:
High
Advisory ID:
SD1713
發佈日期:
December 04, 2024
最近更新:
December 19, 2024
Revision Number:
2.0
Known Exploited Vulnerability (KEV):
否
Corrected:
是
Workaround:
是
CVE IDs
CVE-2024-11155 ,
CVE-2024-11156 ,
CVE-2024-11158 ,
CVE-2024 -12130 ,
CVE-2024-11157,
CVE-2024-12672,
CVE-2024-11364,
CVE-2024-12175
下載
The following link(s) provide the security advisory in Vulnerability Exploitability Exchange format:
JSON
JSON
JSON
JSON
JSON
JSON
JSON
JSON
摘要

Published Date: 12/04/24

Last updated: August 6, 2025

Revision Number: 2.0

CVSS Score: v3.1: 7.8, v4.0 8.5

AFFECTED PRODUCTS AND SOLUTION

Affected Product

CVE

Affected Software Version

Corrected in Software Version

Software - Arena

 

CVE-2024-11155

All versions 16.20.00 and prior

V16.20.06 and later

CVE-2044-11156

 

All versions 16.20.03 and prior

V16.20.06 and later

CVE-2024-11158

 

All versions 16.20.00 and prior

V16.20.06 and later

CVE-2024 -12130

All versions 16.20.05 and prior

V16.20.06 and later

 

CVE-2024-11157

 

All versions 16.20.06 and prior

V16.20.07 and later

 

CVE-2024-12175

 

All versions 16.20.06 and prior

V16.20.07 and later

Software – Arena® 32 bit

CVE-2024-12672

 

All versions 16.20.07 and prior

n/a – see mitigations

CVE-2024-11364

 

All versions 16.20.06 and prior

V16.20.07 and later 

SECURITY ISSUE DETAILS

Rockwell Automation useS the latest version of the CVSS scoring system to assess the security issues. These security issues were reported by ZDI (Zero Day Initiative).

CVE-2024-11155 IMPACT

A “use after free”  code execution security issue exists in the affected products. These could allow a threat actor to craft a DOE file and force the software to use a resource that was already used. A threat actor could leverage this issue to execute arbitrary code. A legitimate user must execute the malicious code crafted by the threat actor for this to be used.

CVSS 3.1 Base Score: 7.8

CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 8.5
CVSS 4.0 Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE:  CWE-416 Use After Free

Known Exploited Vulnerability (KEV) database: No

CVE-2024-11156 IMPACT

An “out of bounds write” code execution security issue exists in the affected products. This could allow a threat actor to write beyond the boundaries of allocated memory in a DOE file. A threat actor could use this to execute arbitrary code. A legitimate user must execute the malicious code crafted by the threat actor for this to be used.

CVSS 3.1 Base Score: 7.8

CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 8.5
CVSS 4.0 Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE:  CWE-787 Out-of-bounds Write
Known Exploited Vulnerability (KEV) database: No

 

CVE-2024-11158 IMPACT

An “uninitialized variable” code execution security issue exists in the affected products. This could allow a threat actor to craft a DOE file and force the software to access a variable before it being initialized. A threat actor could use this to execute arbitrary code. A legitimate user must execute the malicious code crafted by the threat actor. for this to be used.

CVSS 3.1 Base Score: 7.8

CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 8.5
CVSS 4.0 Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE:  CWE-665 Improper Initialization

Known Exploited Vulnerability (KEV) database: No

 

CVE-2024-12130 IMPACT

An “out of bounds read” code execution security issue exists in the affected products. This could allow a threat actor to craft a DOE file and force the software to read beyond the boundaries of an allocated memory. A threat actor could use this to execute arbitrary code. A legitimate user must execute the malicious code crafted by the threat actor for this to be used.

CVSS 3.1 Base Score: 7.8

CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 8.5
CVSS 4.0 Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE: CWE-125: Out-of-bounds Read

Known Exploited Vulnerability (KEV) database: No

 

CVE-2024-11157

A third-party security issue exists in the affected products. This could allow a threat actor to write beyond the boundaries of allocated memory in a DOE file. A threat actor could leverage this to execute arbitrary code. A legitimate user must execute the malicious code crafted by the threat actor for this to be used.  

CVSS 3.1 Base Score: 7.8 

CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 8.5 
CVSS 4.0 Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE:  CWE-787 Out-of-bounds Write  
Known Exploited Vulnerability (KEV) database: No

 

CVE-2024-12672

A third-party security issue exists in the affected products. This could allow a threat actor to write beyond the boundaries of allocated memory in a DOE file. A threat actor could leverage this to execute arbitrary code. A legitimate user must execute the malicious code crafted by the threat actor for this to be used. 

CVSS 3.1 Base Score: 7.8 

CVSS 3.1 Vector:  CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 8.5 
CVSS 4.0 Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE:  CWE-1395 Dependency on third-party Component

Known Exploited Vulnerability (KEV) database: No 

 

CVE-2024-11364

Another “uninitialized variable” code execution security issue exists in the affected products. This could allow a threat actor to craft a DOE file and force the software to access a variable prior to it being initialized. A threat actor could leverage this to execute arbitrary code. A legitimate user must execute the malicious code crafted by the threat actor. for this to be used.

CVSS 3.1 Base Score: 7.8

CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 8.5
CVSS 4.0 Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE:  CWE-1395 Dependency on third-party Component

Known Exploited Vulnerability (KEV) database: No

 

CVE-2024-12175

Another “use after free” code execution security issue exists in the affected products. This could allow a threat actor to craft a DOE file and force the software to use a resource that was already used. A threat actor could leverage this to execute arbitrary code. A legitimate user must execute the malicious code crafted by the threat actor for this to be used.

CVSS 3.1 Base Score: 7.8

CVSS 3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS 4.0 Base Score: 8.5
CVSS 4.0 Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE:  CWE-416 Use After Free

Known Exploited Vulnerability (KEV) database: No

 

Mitigations and Workarounds
Customers using the affected software should use the risk mitigations.

  •       Do not load untrusted Arena® model files.
  •       Hold the control key down when loading files to help prevent the VBA file stream from loading.

For information on how to mitigate Security Risks, use our suggested security best practices.

Customers can use Stakeholder-Specific Vulnerability Categorization to create more environment-specific categories

Glossary

DOE file: store model data using a Microsoft Compound File format, which acts as a container for several data streams

Out of bounds read vulnerability: when a program reads data from a memory location outside the bounds of a array or buffer

Out of bounds write code vulnerability: a software vulnerability where a program writes beyond the bounds of an allowed area of memory

Third-party vulnerability: a weakness or flaw in an external vendor, supplier, or service provider’s system, process, or software that can be exploited to compromise the security of a connected organization.

Uninitialized variable vulnerability: occurs when a program accesses a variable before it has been initialized

Use-After-Free (UAF) vulnerability: a type of memory corruption vulnerability that occurs when a program continues to access memory locations that have already been freed.

Rockwell Automation Home
Copyright ©2022 Rockwell Automation, Inc.
  1. Chevron LeftChevron Left Rockwell Automation 首頁 Chevron RightChevron Right
  2. Chevron LeftChevron Left Trust Center Chevron RightChevron Right
  3. Chevron LeftChevron Left Industrial Security Adv Chevron RightChevron Right
  4. Chevron LeftChevron Left Industrial Security Advisory Detail Chevron RightChevron Right
請更新您的 cookie 設定以繼續.
此功能需要 cookie 來改善您的體驗。請更新您的設定以允許這些 cookie:
  • 社群媒體Cookie
  • 功能Cookie
  • 性能Cookie
  • 行銷Cookie
  • 全部Cookie
您可以隨時更新您的設定。想了解更多訊息,請參閱我們的 {0} 隱私政策
CloseClose