CVE-2024-11156: 
NixOS vulnerability analysis and mitigation

An out-of-bounds write code execution vulnerability (CVE-2024-11156) exists in the Rockwell Automation Arena® software that could allow a threat actor to write beyond the boundaries of allocated memory in a DOE file. The vulnerability affects Arena versions 16.20.03 and prior. This vulnerability was discovered by Rocco Calvi (@TecR0c) with TecSecurity working with Trend Micro Zero Day Initiative (CISA Advisory, ZDI Advisory).

The vulnerability has been assigned a CVSS v3.1 base score of 7.8 (High) with the vector string AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, and a CVSS v4.0 base score of 8.5 with the vector string AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N. The specific flaw exists within the parsing of DOE files and results from the lack of proper validation of user-supplied data. The vulnerability is classified as CWE-787 (Out-of-bounds Write) (Rockwell Advisory, ZDI Advisory).

If successfully exploited, this vulnerability could allow an attacker to execute arbitrary code in the context of the current process. The vulnerability requires user interaction to exploit, as the target must open a malicious file (ZDI Advisory).

Rockwell Automation recommends users upgrade to V16.20.06 or later. Additional mitigations include: not loading untrusted Arena model files, and holding the control key down when loading files to help prevent the VBA file stream from loading. Users should also implement suggested security best practices to minimize the risk of the vulnerability (Rockwell Advisory).