ID

VAR-202001-0760


CVE

CVE-2019-13521


TITLE

Rockwell Automation Arena Simulation Software  Vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2019-014432

DESCRIPTION

A maliciously crafted program file opened by an unsuspecting user of Rockwell Automation Arena Simulation Software version 16.00.00 and earlier may result in the limited exposure of information related to the targeted workstation. Rockwell Automation has released version 16.00.01 of Arena Simulation Software to address the reported vulnerabilities. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the processing of DOE files. Crafted data in a DOE file can allow execution of arbitrary commands without prompting the user. An attacker can leverage this vulnerability to execute code in the context of the current user

Trust: 2.88

sources: NVD: CVE-2019-13521 // JVNDB: JVNDB-2019-014432 // ZDI: ZDI-19-799 // CNVD: CNVD-2020-14918 // VULHUB: VHN-145376

IOT TAXONOMY

category:['ICS']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2020-14918

AFFECTED PRODUCTS

vendor:rockwellautomationmodel:arena simulationscope:lteversion:16.00.00

Trust: 1.0

vendor:rockwell automationmodel:arena simulation softwarescope:eqversion: -

Trust: 0.8

vendor:rockwell automationmodel:arena simulation softwarescope:lteversion:16.00.00

Trust: 0.8

vendor:rockwell automationmodel:arena simulationscope: - version: -

Trust: 0.7

vendor:rockwellmodel:automation rockwell automation arena simulation softwarescope:lteversion:<=16.00.00

Trust: 0.6

vendor:rockwellautomationmodel:arena simulationscope:eqversion: -

Trust: 0.6

vendor:rockwellautomationmodel:arena simulationscope:eqversion:16.00.00

Trust: 0.6

sources: ZDI: ZDI-19-799 // CNVD: CNVD-2020-14918 // JVNDB: JVNDB-2019-014432 // CNNVD: CNNVD-201909-367 // NVD: CVE-2019-13521

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2019-13521
value: HIGH

Trust: 1.0

NVD: CVE-2019-13521
value: HIGH

Trust: 0.8

ZDI: CVE-2019-13521
value: HIGH

Trust: 0.7

CNVD: CNVD-2020-14918
value: HIGH

Trust: 0.6

CNNVD: CNNVD-201909-367
value: HIGH

Trust: 0.6

VULHUB: VHN-145376
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2019-13521
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2020-14918
severity: HIGH
baseScore: 9.3
vectorString: AV:N/AC:M/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.6
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

VULHUB: VHN-145376
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2019-13521
baseSeverity: HIGH
baseScore: 7.8
vectorString: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 1.8
impactScore: 5.9
version: 3.1

Trust: 1.0

NVD: CVE-2019-13521
baseSeverity: HIGH
baseScore: 7.8
vectorString: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

ZDI: CVE-2019-13521
baseSeverity: HIGH
baseScore: 7.8
vectorString: AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 1.8
impactScore: 5.9
version: 3.0

Trust: 0.7

sources: ZDI: ZDI-19-799 // CNVD: CNVD-2020-14918 // VULHUB: VHN-145376 // JVNDB: JVNDB-2019-014432 // CNNVD: CNNVD-201909-367 // NVD: CVE-2019-13521

PROBLEMTYPE DATA

problemtype:CWE-357

Trust: 1.0

problemtype:NVD-CWE-Other

Trust: 1.0

problemtype:Other (CWE-Other) [NVD Evaluation ]

Trust: 0.8

sources: JVNDB: JVNDB-2019-014432 // NVD: CVE-2019-13521

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-201909-367

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-201909-367

PATCH

title:Top Pageurl:https://www.rockwellautomation.com/global/overview.page

Trust: 0.8

title:Rockwell Automation has issued an update to correct this vulnerability.url:https://www.us-cert.gov/ics/advisories/icsa-19-213-05

Trust: 0.7

title:Patch for Rockwell Automation Arena Simulation Software code execution vulnerabilityurl:https://www.cnvd.org.cn/patchInfo/show/206319

Trust: 0.6

sources: ZDI: ZDI-19-799 // CNVD: CNVD-2020-14918 // JVNDB: JVNDB-2019-014432

EXTERNAL IDS

db:NVDid:CVE-2019-13521

Trust: 3.8

db:ZDIid:ZDI-19-799

Trust: 3.0

db:ICS CERTid:ICSA-19-213-05

Trust: 2.5

db:JVNDBid:JVNDB-2019-014432

Trust: 0.8

db:ZDI_CANid:ZDI-CAN-8134

Trust: 0.7

db:CNVDid:CNVD-2020-14918

Trust: 0.7

db:CNNVDid:CNNVD-201909-367

Trust: 0.7

db:VULHUBid:VHN-145376

Trust: 0.1

sources: ZDI: ZDI-19-799 // CNVD: CNVD-2020-14918 // VULHUB: VHN-145376 // JVNDB: JVNDB-2019-014432 // CNNVD: CNNVD-201909-367 // NVD: CVE-2019-13521

REFERENCES

url:https://www.us-cert.gov/ics/advisories/icsa-19-213-05

Trust: 3.2

url:https://www.zerodayinitiative.com/advisories/zdi-19-799/

Trust: 2.3

url:https://nvd.nist.gov/vuln/detail/cve-2019-13521

Trust: 1.4

sources: ZDI: ZDI-19-799 // CNVD: CNVD-2020-14918 // VULHUB: VHN-145376 // JVNDB: JVNDB-2019-014432 // CNNVD: CNNVD-201909-367 // NVD: CVE-2019-13521

CREDITS

kimiya of 9SG Security Team - kimiya@9sgsec.com

Trust: 1.3

sources: ZDI: ZDI-19-799 // CNNVD: CNNVD-201909-367

SOURCES

db:ZDIid:ZDI-19-799
db:CNVDid:CNVD-2020-14918
db:VULHUBid:VHN-145376
db:JVNDBid:JVNDB-2019-014432
db:CNNVDid:CNNVD-201909-367
db:NVDid:CVE-2019-13521

LAST UPDATE DATE

2024-08-14T13:44:27.535000+00:00


SOURCES UPDATE DATE

db:ZDIid:ZDI-19-799date:2019-09-09T00:00:00
db:CNVDid:CNVD-2020-14918date:2020-03-02T00:00:00
db:VULHUBid:VHN-145376date:2020-02-03T00:00:00
db:JVNDBid:JVNDB-2019-014432date:2020-02-17T00:00:00
db:CNNVDid:CNNVD-201909-367date:2020-02-12T00:00:00
db:NVDid:CVE-2019-13521date:2020-02-03T17:12:35.850

SOURCES RELEASE DATE

db:ZDIid:ZDI-19-799date:2019-09-09T00:00:00
db:CNVDid:CNVD-2020-14918date:2020-03-02T00:00:00
db:VULHUBid:VHN-145376date:2020-01-27T00:00:00
db:JVNDBid:JVNDB-2019-014432date:2020-02-17T00:00:00
db:CNNVDid:CNNVD-201909-367date:2019-09-09T00:00:00
db:NVDid:CVE-2019-13521date:2020-01-27T23:15:10.497