#VU21332 Command Injection


Published: 2019-09-25

Vulnerability identifier: #VU21332

Vulnerability risk: High

CVSSv3.1:

CVE-ID: CVE-2019-13521

CWE-ID: CWE-77

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Arena
Server applications / Virtualization software

Vendor: Rockwell Automation

Description

The vulnerability allows a remote attacker to execute arbitrary commands.

The vulnerability exists due to improper input validation when processing the .DOE files. A remote attacker can trick a victim to open a specially crafted .DOE file and execute arbitrary commands on the target system without prompting the user.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Arena: 14.50.00 - 16.00.00


CPE

External links
http://www.zerodayinitiative.com/advisories/ZDI-19-799/
http://www.us-cert.gov/ics/advisories/icsa-19-213-05


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?


Latest bulletins with this vulnerability