Rockwell Automation has an upgrade available to handle out-of-bounds read and access of uninitialized pointer vulnerabilities in its Arena product, according to a report with CISA.

Successful exploitation of these vulnerabilities, which Rockwell self-reported, could allow an attacker to execute arbitrary code by using a memory buffer overflow or using an uninitialized pointer in the application.

The following versions of Arena, a simulation software, suffer from the vulnerabilities: Version 16.20.00001.

In one issue, version 16.20 of Rockwell Automation’s Arena software contains an out-of-bounds read vulnerability when certain malformed files end up processed. An attacker with local access could utilize this to potentially leak memory or achieve arbitrary code execution.

CVE-2023-27854 is the case number for this vulnerability, which has a CVSS v3 base score of 7.8.

Schneider Bold

In addition, version 16.20 of Rockwell Automation’s Arena software contains an uninitialized pointer when certain malformed files end up processed. A local attacker who has properly prepared a malformed file may be able to point to a predetermined location in memory and execute arbitrary code.

CVE-2023-27858 is the case number for this vulnerability, which has a CVSS v3 base score of 7.8.

The product sees use in multiple industrial sectors, and on a global basis.

No known exploits target these vulnerabilities. These vulnerabilities are not exploitable remotely. However, an attacker could leverage these low complexity vulnerabilities.

Rockwell Automation recommends upgrading the affected product software to 16.20.01.

Rockwell encourages users to implement their suggested security best practices to minimize exploitation risk of these vulnerabilities.

ISSSource

Pin It on Pinterest

Share This