Details of VAR-202403-2357

ID

VAR-202403-2357

CVE

CVE-2024-21918

TITLE

Rockwell Automation of arena simulation Vulnerability in using free memory in

Trust: 0.8

sources: JVNDB: JVNDB-2024-014255

DESCRIPTION

A memory buffer vulnerability in Rockwell Automation Arena Simulation software could potentially allow a malicious user to insert unauthorized code to the software by corrupting the memory and triggering an access violation. Once inside, the threat actor can run harmful code on the system. This affects the confidentiality, integrity, and availability of the product. To trigger this, the user would unwittingly need to open a malicious file shared by the threat actor. Rockwell Automation of arena simulation Exists in a vulnerability related to the use of freed memory.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. Rockwell Automation Arena Simulation Software is a set of simulation software from Rockwell Automation of the United States that provides 3D animation and graphics functions

Trust: 2.16

sources: NVD: CVE-2024-21918 // JVNDB: JVNDB-2024-014255 // CNVD: CNVD-2024-18333

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2024-18333

AFFECTED PRODUCTS

vendor:	rockwellautomation	model:	arena	scope:	lt	version:	16.20.03	Trust: 1.0
vendor:	rockwellautomation	model:	arena	scope:	gte	version:	16.00.00	Trust: 1.0
vendor:	rockwell automation	model:	arena simulation	scope:	eq	version:	16.00.00 that's all 16.20.03	Trust: 0.8
vendor:	rockwell automation	model:	arena simulation	scope:	-	version:	-	Trust: 0.8
vendor:	rockwell automation	model:	arena simulation	scope:	eq	version:	-	Trust: 0.8
vendor:	rockwell	model:	automation arena simulation software	scope:	eq	version:	16.00	Trust: 0.6

sources: CNVD: CNVD-2024-18333 // JVNDB: JVNDB-2024-014255 // NVD: CVE-2024-21918

CVSS

SEVERITY

CVSSV2

CVSSV3

PSIRT@rockwellautomation.com:	CVE-2024-21918
value:	HIGH
Trust: 1.0
nvd@nist.gov:	CVE-2024-21918
value:	HIGH
Trust: 1.0
NVD:	CVE-2024-21918
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2024-18333
value:	HIGH
Trust: 0.6

CNVD:	CNVD-2024-18333
severity:	HIGH
baseScore:	7.2
vectorString:	AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	3.9
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

PSIRT@rockwellautomation.com:	CVE-2024-21918
baseSeverity:	HIGH
baseScore:	7.8
vectorString:	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	1.8
impactScore:	5.9
version:	3.1
Trust: 2.0
NVD:	CVE-2024-21918
baseSeverity:	HIGH
baseScore:	7.8
vectorString:	CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2024-18333 // JVNDB: JVNDB-2024-014255 // NVD: CVE-2024-21918 // NVD: CVE-2024-21918

PROBLEMTYPE DATA

problemtype:	CWE-416	Trust: 1.0
problemtype:	Use of freed memory (CWE-416) [ others ]	Trust: 0.8
problemtype:	Use of freed memory (CWE-416) [NVD evaluation ]	Trust: 0.8

sources: JVNDB: JVNDB-2024-014255 // NVD: CVE-2024-21918

PATCH

title:

Patch for Rockwell Automation Arena Simulation Software Use-After-Free Vulnerability

url:

https://www.cnvd.org.cn/patchInfo/show/543376

Trust: 0.6

sources: CNVD: CNVD-2024-18333

EXTERNAL IDS

db:	NVD	id:	CVE-2024-21918	Trust: 3.2
db:	ICS CERT	id:	ICSA-24-086-03	Trust: 0.8
db:	JVN	id:	JVNVU95922371	Trust: 0.8
db:	JVNDB	id:	JVNDB-2024-014255	Trust: 0.8
db:	CNVD	id:	CNVD-2024-18333	Trust: 0.6

sources: CNVD: CNVD-2024-18333 // JVNDB: JVNDB-2024-014255 // NVD: CVE-2024-21918

REFERENCES

url:	https://www.rockwellautomation.com/en-us/support/advisory.sd-1665.html	Trust: 1.6
url:	https://jvn.jp/vu/jvnvu95922371/	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2024-21918	Trust: 0.8
url:	https://www.cisa.gov/news-events/ics-advisories/icsa-24-086-03	Trust: 0.8

sources: CNVD: CNVD-2024-18333 // JVNDB: JVNDB-2024-014255 // NVD: CVE-2024-21918

SOURCES

db:	CNVD	id:	CNVD-2024-18333
db:	JVNDB	id:	JVNDB-2024-014255
db:	NVD	id:	CVE-2024-21918

LAST UPDATE DATE

2024-12-17T22:36:09.385000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2024-18333	date:	2024-04-17T00:00:00
db:	JVNDB	id:	JVNDB-2024-014255	date:	2024-12-10T06:09:00
db:	NVD	id:	CVE-2024-21918	date:	2024-12-17T16:15:50.300

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2024-18333	date:	2024-04-17T00:00:00
db:	JVNDB	id:	JVNDB-2024-014255	date:	2024-12-10T00:00:00
db:	NVD	id:	CVE-2024-21918	date:	2024-03-26T16:15:10.877