Sign-up

ID

VAR-201805-1127


CVE

CVE-2018-8843


TITLE

Rockwell Automation Arena Denial of service vulnerability

Trust: 0.8

sources: IVD: e2ef386f-39ab-11e9-952c-000c29342cb1 // CNVD: CNVD-2018-09552

DESCRIPTION

Rockwell Automation Arena versions 15.10.00 and prior contains a use after free vulnerability caused by processing specially crafted Arena Simulation Software files that may cause the software application to crash, potentially losing any unsaved data.. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the parsing of an Arena Model file. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code under the context of the Arena process. Rockwell Automation Arena is a suite of discrete event simulation and automation software from Rockwell Automation. An attacker can exploit this issue to crash the affected application, resulting in denial-of-service conditions. Versions prior to Arena 15.10.01 are vulnerable

Trust: 3.33

sources: NVD: CVE-2018-8843 // JVNDB: JVNDB-2018-005120 // ZDI: ZDI-18-435 // CNVD: CNVD-2018-09552 // BID: 104166 // IVD: e2ef386f-39ab-11e9-952c-000c29342cb1 // VULHUB: VHN-138875

IOT TAXONOMY

category:['ICS']sub_category: -

Trust: 0.8

sources: IVD: e2ef386f-39ab-11e9-952c-000c29342cb1 // CNVD: CNVD-2018-09552

AFFECTED PRODUCTS

vendor:rockwellautomationmodel:arenascope:lteversion:15.10.00

Trust: 1.0

vendor:rockwell automationmodel:arenascope:lteversion:16.10.00

Trust: 0.8

vendor:rockwell automationmodel:arenascope: - version: -

Trust: 0.7

vendor:rockwellmodel:automation arenascope:lteversion:<=16.10.00

Trust: 0.6

vendor:rockwellautomationmodel:arenascope:eqversion:16.10.00

Trust: 0.6

vendor:rockwellmodel:automation arenascope:eqversion:15.10

Trust: 0.3

vendor:rockwellmodel:automation arenascope:eqversion:14.50

Trust: 0.3

vendor:rockwellmodel:automation arenascope:eqversion:13.50

Trust: 0.3

vendor:rockwellmodel:automation arenascope:eqversion:14.0

Trust: 0.3

vendor:rockwellmodel:automation arenascope:eqversion:13.9

Trust: 0.3

vendor:rockwellmodel:automation arenascope:eqversion:13.0

Trust: 0.3

vendor:rockwellmodel:automation arenascope:eqversion:12.0

Trust: 0.3

vendor:rockwellmodel:automation arenascope:neversion:15.10.1

Trust: 0.3

vendor:arenamodel: - scope:eqversion:*

Trust: 0.2

sources: IVD: e2ef386f-39ab-11e9-952c-000c29342cb1 // ZDI: ZDI-18-435 // CNVD: CNVD-2018-09552 // BID: 104166 // JVNDB: JVNDB-2018-005120 // CNNVD: CNNVD-201805-415 // NVD: CVE-2018-8843

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2018-8843
value: MEDIUM

Trust: 1.0

NVD: CVE-2018-8843
value: MEDIUM

Trust: 0.8

ZDI: CVE-2018-8843
value: MEDIUM

Trust: 0.7

CNVD: CNVD-2018-09552
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-201805-415
value: MEDIUM

Trust: 0.6

IVD: e2ef386f-39ab-11e9-952c-000c29342cb1
value: MEDIUM

Trust: 0.2

VULHUB: VHN-138875
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2018-8843
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:N/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

ZDI: CVE-2018-8843
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.7

CNVD: CNVD-2018-09552
severity: MEDIUM
baseScore: 4.9
vectorString: AV:L/AC:L/AU:N/C:N/I:N/A:C
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: COMPLETE
exploitabilityScore: 3.9
impactScore: 6.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

IVD: e2ef386f-39ab-11e9-952c-000c29342cb1
severity: MEDIUM
baseScore: 4.9
vectorString: AV:L/AC:L/AU:N/C:N/I:N/A:C
accessVector: LOCAL
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: COMPLETE
exploitabilityScore: 3.9
impactScore: 6.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.9 [IVD]

Trust: 0.2

VULHUB: VHN-138875
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:N/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2018-8843
baseSeverity: MEDIUM
baseScore: 5.5
vectorString: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: HIGH
exploitabilityScore: 1.8
impactScore: 3.6
version: 3.0

Trust: 1.8

sources: IVD: e2ef386f-39ab-11e9-952c-000c29342cb1 // ZDI: ZDI-18-435 // CNVD: CNVD-2018-09552 // VULHUB: VHN-138875 // JVNDB: JVNDB-2018-005120 // CNNVD: CNNVD-201805-415 // NVD: CVE-2018-8843

PROBLEMTYPE DATA

problemtype:CWE-416

Trust: 1.9

sources: VULHUB: VHN-138875 // JVNDB: JVNDB-2018-005120 // NVD: CVE-2018-8843

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-201805-415

TYPE

Resource management error

Trust: 0.8

sources: IVD: e2ef386f-39ab-11e9-952c-000c29342cb1 // CNNVD: CNNVD-201805-415

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2018-005120

PATCH
title:Top Pageurl:https://www.rockwellautomation.com/
Trust: 0.8
title:Rockwell Automation has issued an update to correct this vulnerability.url:https://ics-cert.us-cert.gov/advisories/ICSA-18-130-02
Trust: 0.7
sources:
            
            
            ZDI: ZDI-18-435 // 
            
            
            
            JVNDB: JVNDB-2018-005120

EXTERNAL IDS
db:NVDid:CVE-2018-8843
Trust: 4.3
db:ICS CERTid:ICSA-18-130-02
Trust: 3.4
db:BIDid:104166
Trust: 2.0
db:CNVDid:CNVD-2018-09552
Trust: 0.8
db:CNNVDid:CNNVD-201805-415
Trust: 0.8
db:JVNDBid:JVNDB-2018-005120
Trust: 0.8
db:ZDI_CANid:ZDI-CAN-5496
Trust: 0.7
db:ZDIid:ZDI-18-435
Trust: 0.7
db:IVDid:E2EF386F-39AB-11E9-952C-000C29342CB1
Trust: 0.2
db:SEEBUGid:SSVID-98960
Trust: 0.1
db:VULHUBid:VHN-138875
Trust: 0.1
sources:
            
            
            IVD: e2ef386f-39ab-11e9-952c-000c29342cb1 // 
            
            
            
            ZDI: ZDI-18-435 // 
            
            
            
            CNVD: CNVD-2018-09552 // 
            
            
            
            VULHUB: VHN-138875 // 
            
            
            
            BID: 104166 // 
            
            
            
            JVNDB: JVNDB-2018-005120 // 
            
            
            
            CNNVD: CNNVD-201805-415 // 
            
            
            
            NVD: CVE-2018-8843

REFERENCES
url:https://ics-cert.us-cert.gov/advisories/icsa-18-130-02
Trust: 4.1
url:http://www.securityfocus.com/bid/104166
Trust: 2.3
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-8843
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2018-8843
Trust: 0.8
url:http://www.rockwellautomation.com/
Trust: 0.3
sources:
            
            
            ZDI: ZDI-18-435 // 
            
            
            
            CNVD: CNVD-2018-09552 // 
            
            
            
            VULHUB: VHN-138875 // 
            
            
            
            BID: 104166 // 
            
            
            
            JVNDB: JVNDB-2018-005120 // 
            
            
            
            CNNVD: CNNVD-201805-415 // 
            
            
            
            NVD: CVE-2018-8843

CREDITS
Ariele Caltabiano (kimiya)
Trust: 0.7
sources:
            
            
            ZDI: ZDI-18-435

SOURCES
db:IVDid:e2ef386f-39ab-11e9-952c-000c29342cb1
db:ZDIid:ZDI-18-435
db:CNVDid:CNVD-2018-09552
db:VULHUBid:VHN-138875
db:BIDid:104166
db:JVNDBid:JVNDB-2018-005120
db:CNNVDid:CNNVD-201805-415
db:NVDid:CVE-2018-8843

LAST UPDATE DATE
2024-11-23T23:05:06.538000+00:00

SOURCES UPDATE DATE
db:ZDIid:ZDI-18-435date:2018-05-14T00:00:00
db:CNVDid:CNVD-2018-09552date:2018-05-16T00:00:00
db:VULHUBid:VHN-138875date:2019-10-09T00:00:00
db:BIDid:104166date:2018-05-10T00:00:00
db:JVNDBid:JVNDB-2018-005120date:2018-07-06T00:00:00
db:CNNVDid:CNNVD-201805-415date:2019-10-17T00:00:00
db:NVDid:CVE-2018-8843date:2024-11-21T04:14:26.053

SOURCES RELEASE DATE
db:IVDid:e2ef386f-39ab-11e9-952c-000c29342cb1date:2018-05-16T00:00:00
db:ZDIid:ZDI-18-435date:2018-05-14T00:00:00
db:CNVDid:CNVD-2018-09552date:2018-05-16T00:00:00
db:VULHUBid:VHN-138875date:2018-05-14T00:00:00
db:BIDid:104166date:2018-05-10T00:00:00
db:JVNDBid:JVNDB-2018-005120date:2018-07-06T00:00:00
db:CNNVDid:CNNVD-201805-415date:2018-05-15T00:00:00
db:NVDid:CVE-2018-8843date:2018-05-14T18:29:00.220