Siemens Parasolid

Act NowCVSS 7.5ICS-CERT ICSA-22-349-12Dec 13, 2022

SiemensEnergy

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

OpenSSL versions 3.0.0 through 3.0.6 contain two buffer overflow vulnerabilities (CVE-2022-3602, CVE-2022-3786) in X.509 certificate verification. These affect multiple Siemens products including Parasolid (CAD), Calibre ICE, Mcenter, SCALANCE X-200RNA switch family, SICAM GridPass, and SIMATIC RTLS Locating Manager. The vulnerabilities could allow denial of service or arbitrary code execution if a vulnerable application processes a malicious X.509 certificate or X_B file. Siemens has released patches for most products; SCALANCE X-200RNA has no fix available and requires network controls as mitigation.

What this means

What could happen

A buffer overflow in OpenSSL's X.509 certificate verification could cause denial of service or allow code execution on systems using Parasolid, Calibre ICE, Mcenter, SICAM GridPass, or SIMATIC RTLS Locating Manager. The SCALANCE X-200RNA switch family is affected but has no patch available.

Who's at risk

Energy sector organizations using Siemens CAD/design tools (Parasolid, Calibre ICE), network infrastructure management (Mcenter), grid security software (SICAM GridPass), or RTLS location tracking (SIMATIC RTLS Locating Manager) are affected. The SCALANCE X-200RNA managed industrial Ethernet switch family is also impacted but cannot be patched.

How it could be exploited

An attacker would need to create a malicious X.509 certificate or X_B file and cause a vulnerable Parasolid application (or other affected Siemens product) to process it. For TLS scenarios, the attacker could present a crafted certificate during client authentication. Local file-based exploitation is also possible if untrusted files are opened in Parasolid.

Prerequisites

Vulnerable OpenSSL 3.0.0–3.0.6 component running in the affected product
For TLS client exploitation: network reachability to a server hosting the vulnerable application
For file-based exploitation: ability to place or trick user into opening a malicious X_B file
No authentication required for the X.509 parsing vulnerability itself

High EPSS score (83.2%)Buffer overflow in widely-used OpenSSL componentAffects multiple critical energy sector productsNo patch available for SCALANCE X-200RNA switch familyCan cause denial of service or code executionLow complexity exploitation

Exploitability

Likely to be exploited — EPSS score 83.5%

Public Proof-of-Concept (PoC) on GitHub (9 repositories)

Affected products (5)

4 with fix1 EOL

ProductAffected VersionsFix Status

Calibre ICE≥ V2022.4<V2023.12023.1

Mcenter≥ V5.2.1<V5.3.05.3.0

SICAM GridPass≥ V1.80<V2.202.20

SIMATIC RTLS Locating Manager≥ V2.13<V2.13.0.32.13.0.3

SCALANCE X-200RNA switch family≥ V3.2.7No fix (EOL)

Remediation & Mitigation

0/12

Do now

0/2

SCALANCE X-200RNA switch family

HARDENINGFor SCALANCE X-200RNA switch family (no patch available): restrict network access to the switch using firewall rules and network segmentation

All products

WORKAROUNDDo not open untrusted X_B files in Parasolid

Schedule — requires maintenance window

0/8

Patching may require device reboot — plan for process interruption

Calibre ICE

HOTFIXUpdate Calibre ICE to version 2023.1 or later

Mcenter

HOTFIXUpdate Mcenter to version 5.3.0 or later

SICAM GridPass

HOTFIXUpdate SICAM GridPass to version 2.20 or later

SIMATIC RTLS Locating Manager

HOTFIXUpdate SIMATIC RTLS Locating Manager to version 2.13.0.3 or later

All products

HOTFIXUpdate Parasolid V33.1 to V33.1.264 or later

HOTFIXUpdate Parasolid V35.0 to V35.0.170 or later

HOTFIXUpdate Parasolid V34.1 to V34.1.242 or later

HOTFIXUpdate Parasolid V34.0 to V34.0.252 or later

Mitigations - no patch available

0/2

SCALANCE X-200RNA switch family has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGIsolate control system networks from business networks and the Internet using firewalls and network segmentation

HARDENINGUse VPN or other secure methods only when remote access to control systems is required

CVEs (2)

CVE-2022-3602 CVE-2022-3786

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/0a02de06-b4dc-44ba-b57d-df6b6d9eb1a7

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.