Siemens Parasolid Installer

Monitor7.8ICS-CERT ICSA-23-222-02Aug 8, 2023

Attack VectorLocal

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

A vulnerability in the Nullsoft Scriptable Installer System (NSIS) software embedded in Parasolid installers creates an unprotected uninstall directory with insufficient access controls (CWE-732). An attacker with local user account access to a Windows machine where Parasolid V35.0 or V35.1 was installed could exploit this to escalate privileges and gain system-level control of that computer. The vulnerability affects only systems where Parasolid was installed using the official Parasolid installer; it is not remotely exploitable. Siemens recommends uninstalling and reinstalling Parasolid with the latest available installer and scanning affected systems for evidence of malicious activity.

What this means

What could happen

An attacker with local access to a computer where Parasolid was installed could escalate their privileges to gain elevated system control over that machine. This could lead to unauthorized access to sensitive CAD files, design data, or potentially the ability to modify files used by engineering workstations connected to your industrial network.

Who's at risk

This affects organizations that use Siemens Parasolid CAD software for engineering design work, particularly on Windows workstations in manufacturing plants, engineering departments, or any facility using Parasolid V35.0 or V35.1 installations. Impact is limited to the local machine where the software was installed; it does not directly affect industrial control devices like PLCs or safety systems unless those devices' configurations are modified through a compromised engineering workstation.

How it could be exploited

An attacker must already have local user account access to a Windows computer where Parasolid was installed. They exploit an unprotected directory left by the installer to escalate their privileges to system-level access. This requires physical or prior remote access to the machine; it cannot be exploited over the network.

Prerequisites

Local user account access on a Windows computer where Parasolid V35.0 or V35.1 was installed via the official Parasolid installer
The uninstall directory must still exist on disk

local access requiredprivilege escalation vulnerabilitylow complexity attackaffects engineering workstationsno fix available for current versions

Exploitability

Low exploit probability (EPSS 0.3%)

Affected products (2)

2 EOL

ProductAffected VersionsFix Status

Parasolid V35.1All versionsNo fix (EOL)

Parasolid V35.0All versionsNo fix (EOL)

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDRun a full antivirus scan on any computer that previously had Parasolid installed to detect any malicious use of this vulnerability

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

Parasolid V35.0

HOTFIXUninstall affected Parasolid V35.0 and V35.1 instances and reinstall using the latest available Parasolid installer

Mitigations - no patch available

0/2

The following products have reached End of Life with no planned fix: Parasolid V35.1, Parasolid V35.0. Apply the following compensating controls:

HARDENINGRestrict local user access to engineering workstations running Parasolid—allow only trusted personnel to have user accounts on these systems

HARDENINGIsolate engineering workstations and Parasolid installation computers behind a firewall and separate network segment from general business network traffic

CVEs (1)

CVE-2023-37378

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/8c9dd213-aa48-4e5b-9743-055027fb0aa3