OTPulse
FeedAboutContact

Scene File Parsing Vulnerability in Simcenter STAR-CCM+ Viewer

Plan Patch7.8SSA-109294Sep 14, 2021
Attack VectorLocal
Auth RequiredNone
ComplexityLow
User InteractionRequired
Summary

Simcenter STAR-CCM+ Viewer contains a file parsing vulnerability in scene (.sce) file handling. If a user opens a malicious scene file, the application could crash, leak data from the host system, or execute arbitrary code with the privileges of the user running the viewer.

What this means
What could happen
An attacker could trick a user into opening a malicious scene file, causing the viewer application to crash, leak sensitive data, or run arbitrary commands on the engineering workstation. This could expose process simulation data or compromise the integrity of the design environment.
Who's at risk
Engineering teams and operators who use Siemens Simcenter STAR-CCM+ Viewer for computational fluid dynamics (CFD) analysis and process simulation. This affects workstations where the viewer is installed, particularly those that receive design files from external sources or shared repositories.
How it could be exploited
An attacker crafts a malicious .sce (scene) file and sends it to an engineer or operator via email, file sharing, or a compromised repository. When the user opens the file in Simcenter STAR-CCM+ Viewer, the parser fails to validate the file structure correctly, allowing buffer overflow or memory corruption. This could crash the application or execute code with the user's privileges.
Prerequisites
  • User must open a malicious .sce file using the affected version of Simcenter STAR-CCM+ Viewer
  • No special access or credentials required beyond user interaction
User interaction required (file must be opened manually)Low attack complexityCould allow arbitrary code executionEPSS score below 1% (low exploitation probability)Fix is available from vendor
Exploitability
Low exploit probability (EPSS 0.4%)
Affected products (1)
ProductAffected VersionsFix Status
Simcenter STAR-CCM+ Viewer< V2021.2.12021.2.1
Remediation & Mitigation
0/3
Do now
0/2
HARDENINGInstruct users not to open scene files (.sce) from untrusted sources or unknown senders
WORKAROUNDIf immediate patching is not possible, disable file association with .sce files or use file type restrictions to prevent accidental opening of scene files
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Simcenter STAR-CCM+ Viewer to version 2021.2.1 or later
View full Siemens ProductCERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/4e066a5d-0dc6-4172-bf55-b3ea6e1331eb
Scene File Parsing Vulnerability in Simcenter STAR-CCM+ Viewer | CVSS 7.8 - OTPulse