Details of VAR-202403-2758

ID

VAR-202403-2758

CVE

CVE-2024-21919

TITLE

Rockwell Automation of arena simulation Vulnerability in accessing uninitialized pointers in

Trust: 0.8

sources: JVNDB: JVNDB-2024-014211

DESCRIPTION

An uninitialized pointer in Rockwell Automation Arena Simulation software could potentially allow a malicious user to insert unauthorized code to the software by leveraging the pointer after it is properly. Once inside, the threat actor can run harmful code on the system. This affects the confidentiality, integrity, and availability of the product. To trigger this, the user would unwittingly need to open a malicious file shared by the threat actor. (DoS) It may be in a state

Trust: 2.16

sources: NVD: CVE-2024-21919 // JVNDB: JVNDB-2024-014211 // CNVD: CNVD-2024-18334

IOT TAXONOMY

category:

['ICS']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2024-18334

AFFECTED PRODUCTS

vendor:	rockwellautomation	model:	arena	scope:	lt	version:	16.20.03	Trust: 1.0
vendor:	rockwellautomation	model:	arena	scope:	gte	version:	16.00.00	Trust: 1.0
vendor:	rockwell automation	model:	arena simulation	scope:	eq	version:	16.00.00 that's all 16.20.03	Trust: 0.8
vendor:	rockwell automation	model:	arena simulation	scope:	-	version:	-	Trust: 0.8
vendor:	rockwell automation	model:	arena simulation	scope:	eq	version:	-	Trust: 0.8
vendor:	rockwell	model:	automation arena simulation software	scope:	eq	version:	16.00	Trust: 0.6

sources: CNVD: CNVD-2024-18334 // JVNDB: JVNDB-2024-014211 // NVD: CVE-2024-21919

CVSS

SEVERITY

CVSSV2

CVSSV3

PSIRT@rockwellautomation.com:	CVE-2024-21919
value:	HIGH
Trust: 1.0
nvd@nist.gov:	CVE-2024-21919
value:	HIGH
Trust: 1.0
NVD:	CVE-2024-21919
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2024-18334
value:	HIGH
Trust: 0.6

CNVD:	CNVD-2024-18334
severity:	HIGH
baseScore:	7.2
vectorString:	AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	3.9
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

PSIRT@rockwellautomation.com:	CVE-2024-21919
baseSeverity:	HIGH
baseScore:	7.8
vectorString:	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	1.8
impactScore:	5.9
version:	3.1
Trust: 2.0
NVD:	CVE-2024-21919
baseSeverity:	HIGH
baseScore:	7.8
vectorString:	CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2024-18334 // JVNDB: JVNDB-2024-014211 // NVD: CVE-2024-21919 // NVD: CVE-2024-21919

PROBLEMTYPE DATA

problemtype:	CWE-824	Trust: 1.0
problemtype:	Accessing uninitialized pointers (CWE-824) [ others ]	Trust: 0.8
problemtype:	Accessing uninitialized pointers (CWE-824) [NVD evaluation ]	Trust: 0.8

sources: JVNDB: JVNDB-2024-014211 // NVD: CVE-2024-21919

PATCH

title:

Patch for Rockwell Automation Arena Simulation Software Uninitialized Pointer Access Vulnerability

url:

https://www.cnvd.org.cn/patchInfo/show/543381

Trust: 0.6

sources: CNVD: CNVD-2024-18334

EXTERNAL IDS

db:	NVD	id:	CVE-2024-21919	Trust: 3.2
db:	JVNDB	id:	JVNDB-2024-014211	Trust: 0.8
db:	CNVD	id:	CNVD-2024-18334	Trust: 0.6

sources: CNVD: CNVD-2024-18334 // JVNDB: JVNDB-2024-014211 // NVD: CVE-2024-21919

REFERENCES

url:	https://www.rockwellautomation.com/en-us/support/advisory.sd-1665.html	Trust: 1.6
url:	https://nvd.nist.gov/vuln/detail/cve-2024-21919	Trust: 0.8

sources: CNVD: CNVD-2024-18334 // JVNDB: JVNDB-2024-014211 // NVD: CVE-2024-21919

SOURCES

db:	CNVD	id:	CNVD-2024-18334
db:	JVNDB	id:	JVNDB-2024-014211
db:	NVD	id:	CVE-2024-21919

LAST UPDATE DATE

2024-12-17T22:56:58.140000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2024-18334	date:	2024-04-17T00:00:00
db:	JVNDB	id:	JVNDB-2024-014211	date:	2024-12-10T02:13:00
db:	NVD	id:	CVE-2024-21919	date:	2024-12-17T16:16:16.773

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2024-18334	date:	2024-04-17T00:00:00
db:	JVNDB	id:	JVNDB-2024-014211	date:	2024-12-10T00:00:00
db:	NVD	id:	CVE-2024-21919	date:	2024-03-26T16:15:11.073