Rockwell Automation Arena Simulation Software (Update B)

Plan PatchCVSS 8.6ICS-CERT ICSA-19-213-05Aug 1, 2019

Rockwell AutomationManufacturing

Attack path

Attack VectorLocal

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

Arena Simulation Software versions 16.00.00 and earlier contain multiple memory corruption and unsafe type casting vulnerabilities (CWE-416, CWE-843, CWE-824) that can be triggered by opening specially crafted .doe model files. Successful exploitation allows an attacker to cause the application to crash (denial of service) or execute arbitrary code on the affected workstation. The vulnerabilities are not remotely exploitable and require user interaction to open a malicious file. No known public exploits currently exist.

What this means

What could happen

An attacker who tricks a user into opening a malicious file (.doe format) could cause the Arena Simulation Software to crash or behave unexpectedly, and potentially run arbitrary code on the user's workstation with the same privileges as the Arena application.

Who's at risk

Manufacturing facilities using Rockwell Automation Arena Simulation Software for process modeling and simulation. This affects engineering workstations used for plant design, production planning, and optimization, not operational control systems directly, but compromised engineering workstations could be a stepping stone to production systems.

How it could be exploited

An attacker crafts a malicious .doe (Arena model) file and tricks a user into opening it in Arena Simulation Software. When opened, the file exploits memory corruption or unsafe handling vulnerabilities to crash the application or execute arbitrary code on the system.

Prerequisites

User must open a malicious .doe file in Arena Simulation Software
User must have Arena version 16.00.00 or earlier installed
Arena application must be running on the workstation

Local attack vector only (requires user interaction)Low attack complexity (malicious file)High CVSS score (8.6)Memory corruption vulnerabilitiesCould lead to arbitrary code execution

Exploitability

Some exploitation risk — EPSS score 6.4%

Affected products (1)

ProductAffected VersionsFix Status

Arena Simulation Software for Manufacturing Cat. 9502-Ax:≤ 16.00.0016.00.01

Remediation & Mitigation

0/4

Do now

0/2

WORKAROUNDDo not open .doe files from untrusted sources

HARDENINGRun Arena Simulation Software as a regular user, not as Administrator

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Arena Simulation Software to version 16.00.01 or later

Long-term hardening

0/1

HARDENINGIsolate engineering workstations running Arena from the business network and the Internet

CVEs (5)

CVE-2019-13510 CVE-2019-13511 CVE-2019-13519 CVE-2019-13521 CVE-2019-13527

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/0f662b85-ef07-4659-803c-442b63963c73

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.