Rockwell Automation has disclosed several critical vulnerabilities in its Arena software, versions 16.20.03 and earlier, which could allow attackers to execute remote code. The flaws identified include a use-after-free vulnerability (CVE-2024-11155), an out-of-bounds write (CVE-2024-11156), an uninitialized variable vulnerability (CVE-2024-11158), and an out-of-bounds read (CVE-2024-12130). These vulnerabilities have been assigned high severity scores, with a CVSS v3.1 base score of 7.8 and a CVSS v4.0 base score of 8.5. The vulnerabilities could enable attackers to execute arbitrary code, access sensitive information, and potentially disrupt industrial operations, posing significant risks to affected organizations.
The flaws were discovered by Rockwell Automation’s internal security team and are related to the manipulation of memory allocation and resource usage within the Arena software. Attackers can exploit these vulnerabilities by crafting malicious DOE files that target these specific weaknesses. While the exploit requires a legitimate user to execute the malicious code, the risks remain substantial due to the potential for unauthorized access and system disruptions in critical industrial environments.
To address these vulnerabilities, Rockwell Automation has released version 16.20.06 of the Arena software, which resolves all four issues. The company urges users to immediately upgrade to the latest version to mitigate the risk of exploitation. Additionally, Rockwell Automation recommends following best practices for securing industrial control systems. These include restricting network access to critical systems, implementing strong access controls, and regularly monitoring for suspicious activities. Keeping all software and firmware up to date is also essential to safeguard systems against emerging threats.
This disclosure highlights the ongoing cybersecurity challenges faced by the industrial automation sector. As industrial systems become more interconnected, the risks of cyberattacks targeting critical infrastructure grow. Organizations relying on Rockwell Automation’s Arena software must prioritize applying the security update to ensure the continued safety and integrity of their operations. The vulnerabilities were reported through the Zero Day Initiative (ZDI), demonstrating the importance of responsible disclosure and collaboration between security researchers and vendors to protect industrial systems from evolving threats.
Reference: