Siemens Parasolid and Teamcenter Visualization
Plan PatchCVSS 7.8ICS-CERT ICSA-23-222-06Aug 8, 2023
Siemens
Attack path
Attack VectorLocal
Auth RequiredNone
ComplexityLow
User InteractionRequired
Summary
Parasolid and Teamcenter Visualization contain memory corruption vulnerabilities (CWE-476, CWE-125, CWE-787, CWE-770) triggered when the application reads malicious X_T format files. An attacker could exploit these flaws through a specially crafted file to achieve remote code execution or cause denial of service in the context of the user's process. Siemens has released patches for most affected versions. Teamcenter Visualization V14.1 has no fix available; V14.1 and V14.3 are scheduled for fixes in the next patch release.
What this means
What could happen
Memory corruption in file parsing could allow an attacker to run arbitrary code or crash the application when a user opens a malicious X_T format file, potentially disrupting design or manufacturing workflows that depend on Parasolid or Teamcenter Visualization.
Who's at risk
This advisory affects organizations that use Siemens Parasolid (CAD modeling kernel used in engineering design) or Teamcenter Visualization (product data visualization software) for product design, reverse engineering, or manufacturing planning. At-risk users include design engineers, CAM programmers, and manufacturing engineers who regularly open part and assembly files in X_T format.
How it could be exploited
An attacker crafts a malicious X_T (Parasolid native) file and tricks a user into opening it in Parasolid or Teamcenter Visualization. The application fails to properly validate the file structure, triggering a memory corruption flaw that allows code execution in the context of the user running the application.
Prerequisites
- User interaction required: victim must open a malicious X_T file
- Parasolid or Teamcenter Visualization application must be installed and used to open files
- X_T file format support enabled (default)
Local exploitation only (user interaction required)Low attack complexityNo authentication requiredRequires user interaction (opening file)Design/engineering workflow disruption riskCode execution or denial of service possible
Exploitability
Unlikely to be exploited — EPSS score 0.1%
Affected products (12)
11 with fix1 EOL
ProductAffected VersionsFix Status
Parasolid V34.1<V34.1.25834.1.258
Parasolid V35.0<V35.0.25435.0.254
Parasolid V35.1<V35.1.17135.1.171
Parasolid V35.1<V35.1.19735.1.197
Parasolid V35.1<V35.1.18435.1.184
Teamcenter Visualization V14.1<V14.1.0.1114.1.0.11
Teamcenter Visualization V14.2<V14.2.0.614.2.0.6
Teamcenter Visualization V14.2<V14.2.0.1214.2.0.12
Remediation & Mitigation
0/9
Do now
0/1WORKAROUNDDo not open untrusted or unexplained X_T files in Parasolid or Teamcenter Visualization
Schedule — requires maintenance window
0/6Patching may require device reboot — plan for process interruption
Parasolid V34.1
HOTFIXUpdate Parasolid V34.1 to version 34.1.258 or later
Parasolid V35.0
HOTFIXUpdate Parasolid V35.0 to version 35.0.254 or later
Parasolid V35.1
HOTFIXUpdate Parasolid V35.1 to version 35.1.171 or later
Teamcenter Visualization V14.2
HOTFIXUpdate Teamcenter Visualization V14.2 to version 14.2.0.6 or later
Teamcenter Visualization V14.3
HOTFIXUpdate Teamcenter Visualization V14.3 to version 14.3.0.3 or later
Teamcenter Visualization V2312
HOTFIXUpdate Teamcenter Visualization V2312 to version 2312.0004 or later
Mitigations - no patch available
0/2Teamcenter Visualization V14.1 has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:
HARDENINGEducate users on email security and not opening file attachments from untrusted sources
HARDENINGRestrict network access to workstations running Parasolid and Teamcenter Visualization using firewalls and access control lists
CVEs (9)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/4cfe5423-32cb-48f8-b0c2-988639f411a9Get OT security insights every Tuesday
Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.