Multiple File Parsing Vulnerabilities in Solid Edge
Plan Patch7.8SSA-491245Feb 14, 2023
Attack VectorLocal
Auth RequiredNone
ComplexityLow
User InteractionRequired
Summary
Solid Edge is affected by multiple memory corruption vulnerabilities in its file parsing logic for X_B, DWG, DXF, STL, STP, SLDPRT, and PAR file formats. If a user opens a specially crafted file, the application could crash, leak sensitive design data, or allow arbitrary code execution. Siemens has released security updates for SE2022 (version 222.0MP12) and SE2023 (version 223.0Update2).
What this means
What could happen
An attacker could craft a malicious design file (X_B, DWG, DXF, STL, STP, etc.) that, when opened in Solid Edge, crashes the application, leaks sensitive design data, or executes arbitrary code on the engineering workstation.
Who's at risk
This affects manufacturing and design organizations that use Solid Edge (Siemens' CAD software) on engineering workstations. Users of Solid Edge SE2022 and SE2023 are at risk, particularly those who receive CAD files from external vendors, partners, or untrusted sources.
How it could be exploited
An attacker creates a specially crafted CAD file and sends it to an engineer or designer. When the engineer opens the file in Solid Edge, the file parser encounters a buffer overflow or memory corruption bug. The attacker can then crash the application, read sensitive data from memory, or execute arbitrary code with the privileges of the user running Solid Edge.
Prerequisites
- User interaction required: engineer must be tricked to open a malicious file
- Affected version of Solid Edge must be installed on the workstation
- File must be in a supported format (X_B, DWG, DXF, STL, STP, SLDPRT, PAR)
Requires user interaction (file must be opened)Affects engineering workstations rather than OT devices directlyMultiple file format support increases exposureCode execution possibleEPSS score low (0.4%) but not zero
Exploitability
Low exploit probability (EPSS 0.4%)
Affected products (3)
3 with fix
ProductAffected VersionsFix Status
Solid Edge SE2022< V222.0MP12222.0MP12
Solid Edge SE2023< V223.0Update2223.0Update2
Solid Edge SE2022All versions222.0MP12
Remediation & Mitigation
0/4
Schedule — requires maintenance window
0/2Patching may require device reboot — plan for process interruption
Solid Edge SE2022
HOTFIXUpdate Solid Edge SE2022 to firmware version 222.0MP12 or later
Solid Edge SE2023
HOTFIXUpdate Solid Edge SE2023 to firmware version 223.0Update2 or later
Long-term hardening
0/2HARDENINGRestrict file sharing and implement a process for vetting CAD files from external sources before opening in Solid Edge
HARDENINGTrain engineers to be cautious when opening unsolicited CAD files from external sources
CVEs (37)
CVE-2021-32936CVE-2021-32938CVE-2021-32948CVE-2021-43336CVE-2021-43391CVE-2022-46345CVE-2022-46346CVE-2022-46347CVE-2022-46348CVE-2022-46349CVE-2023-22295CVE-2023-22321CVE-2023-22354CVE-2023-22669CVE-2023-22670CVE-2023-22846CVE-2023-23579CVE-2023-24549CVE-2023-24550CVE-2023-24551CVE-2023-24552CVE-2023-24553CVE-2023-24554CVE-2023-24555CVE-2023-24556CVE-2023-24557CVE-2023-24558CVE-2023-24559CVE-2023-24560CVE-2023-24561CVE-2023-24562CVE-2023-24563CVE-2023-24564CVE-2023-24565CVE-2023-24566CVE-2023-24581CVE-2023-25140
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/1473dff0-56d0-46c2-a08d-49dfd7a44702