X_T File Parsing Vulnerabilities in Parasolid

Plan Patch7.8SSA-046364May 14, 2024

Attack VectorLocal

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

Parasolid is affected by out of bounds read and null pointer dereference vulnerabilities triggered when the application reads files in X_T format. If a user opens a malicious X_T file with the affected application, an attacker could leverage these vulnerabilities to execute code in the context of the current process or cause a denial of service condition.

What this means

What could happen

An attacker could trick a design engineer into opening a malicious X_T file, leading to code execution with the privileges of the application or causing the design application to crash and stop work.

Who's at risk

Design engineers and CAD users at manufacturing facilities, automotive suppliers, and engineering firms who use Parasolid for 3D modeling and geometric computation. Anyone who receives X_T files from untrusted or potentially compromised sources and opens them in Parasolid.

How it could be exploited

An attacker creates a malicious X_T format file with crafted data that triggers an out of bounds read or null pointer dereference when Parasolid parses the file. The attacker sends this file to a user (e.g., via email or a shared repository) and tricks them into opening it with Parasolid. The vulnerability executes in the context of the logged-in user running Parasolid.

Prerequisites

User must open a malicious X_T file with Parasolid
No special credentials or network access required

Low complexity attackUser interaction required (file open)Code execution possibleAffects design/engineering systems

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (3)

3 with fix

ProductAffected VersionsFix Status

Parasolid V35.1<V35.1.25635.1.256

Parasolid V36.0<V36.0.20836.0.208

Parasolid V36.1<V36.1.17336.1.173

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDAdvise users not to open X_T files from untrusted or unexpected sources until patches are applied

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

Parasolid V35.1

HOTFIXUpdate Parasolid V35.1 to version 35.1.256 or later

Parasolid V36.0

HOTFIXUpdate Parasolid V36.0 to version 36.0.208 or later

Parasolid V36.1

HOTFIXUpdate Parasolid V36.1 to version 36.1.173 or later

CVEs (3)

CVE-2024-32635 CVE-2024-32636 CVE-2024-32637

View full Siemens ProductCERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/cdcffc7f-72a5-4e62-a8a2-6c974d5bc623