Siemens Tecnomatix Plant Simulation

Plan PatchCVSS 7.8ICS-CERT ICSA-24-046-07Feb 13, 2024

Siemens

Attack path

Attack VectorLocal

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

Tecnomatix Plant Simulation contains multiple buffer overflow and out-of-bounds memory access vulnerabilities in the WRL, PSOBJ, and SPP file parsers. When a user opens a malicious file in one of these formats, the application could crash or allow arbitrary code execution. Siemens has released patches for V2201 (version 2201.0012) and V2302 (versions 2302.0006 and 2302.0007), but V2201 has no fix available for CVE-2024-23799, 23800, 23801, and 23803. Exploitation requires social engineering to trick a user into opening a hostile file; remote exploitation is not possible.

What this means

What could happen

If a user opens a malicious WRL, PSOBJ, or SPP file in Tecnomatix Plant Simulation, the application could crash, causing work stoppage, or an attacker could execute arbitrary code on the engineering workstation. This affects anyone using the software to design or simulate manufacturing processes.

Who's at risk

This affects anyone using Siemens Tecnomatix Plant Simulation V2201 or V2302 for manufacturing process design and simulation, particularly plant engineers and CAD operators who may receive or download files from external sources. The vulnerability requires user interaction (opening a file) and is not remotely exploitable, so the primary risk is to engineering workstations that may be less protected than OT production networks.

How it could be exploited

An attacker creates a malicious file in WRL, PSOBJ, or SPP format and tricks a user into opening it in Tecnomatix Plant Simulation (via email, file sharing, or social engineering). When the application parses the file, memory corruption vulnerabilities (buffer overflow, out-of-bounds access) allow the attacker to crash the application or run code with the user's privileges on the engineering workstation.

Prerequisites

User must open a malicious file with Tecnomatix Plant Simulation
File must be in WRL, PSOBJ, or SPP format
No special credentials or network access required

Requires user interaction (file opening)Low complexity exploitationMultiple vulnerability types (memory corruption)V2201 has no fix for 4 of 8 CVEsCould lead to code execution on engineering workstation

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (4)

4 with fix

ProductAffected VersionsFix Status

Tecnomatix Plant Simulation V2201<V2201.00122201.0012

Tecnomatix Plant Simulation V2302<V2302.00062302.0006

Tecnomatix Plant Simulation V2302<V2302.00072302.0007

Tecnomatix Plant Simulation V2201All versions2201.0012

Remediation & Mitigation

0/6

Do now

0/2

WORKAROUNDDo not open untrusted or unexpected WRL, PSOBJ, or SPP files from email, file shares, or external sources in Tecnomatix Plant Simulation

WORKAROUNDEducate users about social engineering and email phishing that may deliver malicious files; do not click links or open attachments in unsolicited email

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

Tecnomatix Plant Simulation V2201

HOTFIXUpdate Tecnomatix Plant Simulation V2201 to version 2201.0012 or later (fixes CVE-2024-23795, 23796, 23797, 23798, 23802, 23804)

Tecnomatix Plant Simulation V2302

HOTFIXUpdate Tecnomatix Plant Simulation V2302 to version 2302.0006 or later (fixes CVE-2024-23795, 23796, 23797, 23798, 23802, 23804)

HOTFIXUpdate Tecnomatix Plant Simulation V2302 to version 2302.0007 or later (fixes CVE-2024-23799, 23800, 23801, 23803)

Long-term hardening

0/1

HARDENINGRestrict network access to engineering workstations running Tecnomatix Plant Simulation using firewalls and network segmentation; isolate design networks from business networks

CVEs (10)

CVE-2024-23795 CVE-2024-23796 CVE-2024-23797 CVE-2024-23798 CVE-2024-23799 CVE-2024-23800 CVE-2024-23801 CVE-2024-23802 CVE-2024-23803 CVE-2024-23804

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/fbd1d56c-302a-4663-9754-91dfbdf320ca

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.