Siemens Parasolid

Plan Patch7.8ICS-CERT ICSA-24-137-01May 14, 2024

Attack VectorLocal

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

Parasolid contains out-of-bounds read and null pointer dereference vulnerabilities triggered when parsing malicious X_T (model) files. If a user is tricked into opening a specially crafted X_T file, the application could crash (denial of service) or an attacker could execute arbitrary code in the context of the Parasolid process. The vulnerabilities are not exploitable remotely and require user interaction.

What this means

What could happen

An attacker could trick a user into opening a malicious X_T file, causing the Parasolid application to crash (denial of service) or potentially allowing arbitrary code execution in the user's process context. If Parasolid is used to control or validate designs for critical infrastructure systems, this could disrupt engineering workflows or compromise design data integrity.

Who's at risk

Design and engineering teams using Parasolid for 3D CAD modeling and product design—including mechanical design, architecture, and infrastructure design environments. Any organization using Parasolid V35.1 (before 35.1.256), V36.0 (before 36.0.208), or V36.1 (before 36.1.173) is affected. Critical for water authorities and utilities if Parasolid is used for infrastructure component design or validation.

How it could be exploited

An attacker creates a malicious X_T (Parasolid model) file containing crafted data that triggers an out-of-bounds read or null pointer dereference. The attacker sends or hosts this file (via email, web link, file share) and tricks an engineer into opening it in Parasolid. The vulnerable parser processes the malicious data, causing a crash or executing arbitrary code in the context of the engineering workstation.

Prerequisites

User must be tricked into opening a malicious X_T file
Parasolid application must be installed and used to open files
No authentication or special network access required—exploitation is local to the workstation

Requires user interaction (social engineering needed)Affects design and engineering tools, not real-time control systemsLow EPSS score (0.1%)Patch is available

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (3)

3 with fix

ProductAffected VersionsFix Status

Parasolid V35.1<V35.1.25635.1.256

Parasolid V36.0<V36.0.20836.0.208

Parasolid V36.1<V36.1.17336.1.173

Remediation & Mitigation

0/6

Do now

0/2

WORKAROUNDDo not open untrusted or unknown X_T files in Parasolid

HARDENINGEducate users and engineers not to download or open X_T files from untrusted sources

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

Parasolid V35.1

HOTFIXUpdate Parasolid V35.1 to version 35.1.256 or later

Parasolid V36.0

HOTFIXUpdate Parasolid V36.0 to version 36.0.208 or later

Parasolid V36.1

HOTFIXUpdate Parasolid V36.1 to version 36.1.173 or later

Long-term hardening

0/1

HARDENINGImplement network segmentation to limit where engineering workstations can share files, reducing the attack surface for malicious file distribution

CVEs (3)

CVE-2024-32635 CVE-2024-32636 CVE-2024-32637

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/5c92889f-dc08-4573-9567-e6f0669e3552