Scene File Parsing Vulnerability in Simcenter STAR-CCM+ Viewer before V2022.1
Plan Patch7.8SSA-166747Mar 8, 2022
Attack VectorLocal
Auth RequiredNone
ComplexityLow
User InteractionRequired
Summary
Simcenter STAR-CCM+ Viewer versions before 2022.1 contain a memory corruption vulnerability in scene (.sce) file parsing. When a user opens a malicious scene file, the vulnerability can be triggered, leading to application crash, arbitrary code execution, or data extraction on the host system.
What this means
What could happen
An engineer opening a malicious scene file could crash the Simcenter Viewer application or allow an attacker to run arbitrary code on the engineering workstation, potentially compromising sensitive simulation data or the workstation itself.
Who's at risk
Engineering and simulation teams using Simcenter STAR-CCM+ Viewer for computational fluid dynamics (CFD) analysis and visualization. Anyone who receives and opens scene files shared from external sources or untrusted channels is at risk.
How it could be exploited
An attacker crafts a malicious .sce (scene) file and tricks an engineer into opening it with Simcenter STAR-CCM+ Viewer. When the file is parsed, memory corruption occurs, which could be leveraged to execute arbitrary code on the workstation or extract sensitive simulation data.
Prerequisites
- User action required: engineer must open a malicious .sce file
- Access to send the malicious file to the engineer (email, file share, USB, etc.)
User interaction requiredMemory corruption vulnerabilityCan lead to arbitrary code executionAffects engineering workstations
Exploitability
Low exploit probability (EPSS 0.4%)
Affected products (1)
ProductAffected VersionsFix Status
Simcenter STAR-CCM+ Viewer< V2022.12022.1
Remediation & Mitigation
0/2
Do now
0/1WORKAROUNDAdvise users not to open scene files (.sce) from untrusted sources or unknown origins
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HOTFIXUpdate Simcenter STAR-CCM+ Viewer to version 2022.1 or later
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/19b1f66d-69b5-4b71-a637-291ec40bf9bd