Siemens Parasolid
Act Now7.5ICS-CERT ICSA-22-349-12Dec 13, 2022
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
OpenSSL versions 3.0.0 through 3.0.6 contain two buffer overflow vulnerabilities (CVE-2022-3602, CVE-2022-3786) in X.509 certificate verification. These affect multiple Siemens products including Parasolid (CAD), Calibre ICE, Mcenter, SCALANCE X-200RNA switch family, SICAM GridPass, and SIMATIC RTLS Locating Manager. The vulnerabilities could allow denial of service or arbitrary code execution if a vulnerable application processes a malicious X.509 certificate or X_B file. Siemens has released patches for most products; SCALANCE X-200RNA has no fix available and requires network controls as mitigation.
What this means
What could happen
A buffer overflow in OpenSSL's X.509 certificate verification could cause denial of service or allow code execution on systems using Parasolid, Calibre ICE, Mcenter, SICAM GridPass, or SIMATIC RTLS Locating Manager. The SCALANCE X-200RNA switch family is affected but has no patch available.
Who's at risk
Energy sector organizations using Siemens CAD/design tools (Parasolid, Calibre ICE), network infrastructure management (Mcenter), grid security software (SICAM GridPass), or RTLS location tracking (SIMATIC RTLS Locating Manager) are affected. The SCALANCE X-200RNA managed industrial Ethernet switch family is also impacted but cannot be patched.
How it could be exploited
An attacker would need to create a malicious X.509 certificate or X_B file and cause a vulnerable Parasolid application (or other affected Siemens product) to process it. For TLS scenarios, the attacker could present a crafted certificate during client authentication. Local file-based exploitation is also possible if untrusted files are opened in Parasolid.
Prerequisites
- Vulnerable OpenSSL 3.0.0–3.0.6 component running in the affected product
- For TLS client exploitation: network reachability to a server hosting the vulnerable application
- For file-based exploitation: ability to place or trick user into opening a malicious X_B file
- No authentication required for the X.509 parsing vulnerability itself
High EPSS score (83.2%)Buffer overflow in widely-used OpenSSL componentAffects multiple critical energy sector productsNo patch available for SCALANCE X-200RNA switch familyCan cause denial of service or code executionLow complexity exploitation
Exploitability
High exploit probability (EPSS 83.2%)
Affected products (5)
4 with fix1 EOL
ProductAffected VersionsFix Status
Calibre ICE≥ V2022.4<V2023.12023.1
Mcenter≥ V5.2.1<V5.3.05.3.0
SICAM GridPass≥ V1.80<V2.202.20
SIMATIC RTLS Locating Manager≥ V2.13<V2.13.0.32.13.0.3
SCALANCE X-200RNA switch family≥ V3.2.7No fix (EOL)
Remediation & Mitigation
0/12
Do now
0/2SCALANCE X-200RNA switch family
HARDENINGFor SCALANCE X-200RNA switch family (no patch available): restrict network access to the switch using firewall rules and network segmentation
All products
WORKAROUNDDo not open untrusted X_B files in Parasolid
Schedule — requires maintenance window
0/8Patching may require device reboot — plan for process interruption
Calibre ICE
HOTFIXUpdate Calibre ICE to version 2023.1 or later
Mcenter
HOTFIXUpdate Mcenter to version 5.3.0 or later
SICAM GridPass
HOTFIXUpdate SICAM GridPass to version 2.20 or later
SIMATIC RTLS Locating Manager
HOTFIXUpdate SIMATIC RTLS Locating Manager to version 2.13.0.3 or later
All products
HOTFIXUpdate Parasolid V33.1 to V33.1.264 or later
HOTFIXUpdate Parasolid V35.0 to V35.0.170 or later
HOTFIXUpdate Parasolid V34.1 to V34.1.242 or later
HOTFIXUpdate Parasolid V34.0 to V34.0.252 or later
Mitigations - no patch available
0/2SCALANCE X-200RNA switch family has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:
HARDENINGIsolate control system networks from business networks and the Internet using firewalls and network segmentation
HARDENINGUse VPN or other secure methods only when remote access to control systems is required
CVEs (2)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/0a02de06-b4dc-44ba-b57d-df6b6d9eb1a7