Multiple File Parsing Vulnerabilities in Parasolid

Plan Patch7.8SSA-588101Dec 13, 2022

Attack VectorLocal

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

Parasolid contains out-of-bounds read and write vulnerabilities in file parsing that can be triggered when opening malicious X_B format files. These vulnerabilities could allow an attacker to execute arbitrary code in the context of the Parasolid application process. The vulnerabilities affect Parasolid V33.1, V34.0, V34.1, and V35.0 versions prior to specified patch levels.

What this means

What could happen

An attacker can gain code execution on an engineering workstation running Parasolid by tricking a user to open a specially crafted X_B format file. This could compromise design files, steal intellectual property, or inject malicious modifications into CAD models used in industrial designs.

Who's at risk

Engineering and design teams at manufacturing, energy, and water utilities that use Parasolid for 3D geometry modeling and CAD operations. Affected industries include equipment manufacturers, automation engineers, and process design groups. The vulnerability requires user interaction (opening a file), making it a risk primarily to engineering workstations rather than runtime control systems.

How it could be exploited

An attacker crafts a malicious X_B format file (Parasolid's native geometry representation) and delivers it via email, file share, or repository where an engineer would open it. When the engineer opens the file in Parasolid, the out-of-bounds read/write vulnerabilities trigger during file parsing, executing attacker code in the Parasolid process.

Prerequisites

User must open a malicious X_B format file in Parasolid
Attacker must be able to deliver the file to the target engineer (email, file sharing service, design repository)
Parasolid application must be running on the workstation

Low complexity attackUser interaction requiredHigh CVSS score (7.8)No authentication neededAffects design/engineering systems used in OT environmentsPotential for code execution in CAD context

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (4)

4 with fix

ProductAffected VersionsFix Status

Parasolid V33.1< V33.1.26433.1.264

Parasolid V34.0< V34.0.25234.0.252

Parasolid V34.1< V34.1.24234.1.242

Parasolid V35.0< V35.0.17035.0.170

Remediation & Mitigation

0/7

Do now

0/2

WORKAROUNDRestrict X_B file opening to trusted sources; scan files from external sources before opening

HARDENINGEducate engineers on the risks of opening files from untrusted sources, especially CAD files

Schedule — requires maintenance window

0/4

Patching may require device reboot — plan for process interruption

Parasolid V33.1

HOTFIXUpdate Parasolid V33.1 to version 33.1.264 or later

Parasolid V34.0

HOTFIXUpdate Parasolid V34.0 to version 34.0.252 or later

Parasolid V34.1

HOTFIXUpdate Parasolid V34.1 to version 34.1.242 or later

Parasolid V35.0

HOTFIXUpdate Parasolid V35.0 to version 35.0.170 or later

Long-term hardening

0/1

HARDENINGImplement file validation or sandboxing for Parasolid operations on critical design systems

CVEs (5)

CVE-2022-46345 CVE-2022-46346 CVE-2022-46347 CVE-2022-46348 CVE-2022-46349

View full Siemens ProductCERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/3609d737-8db9-41e7-b9a6-dd8a69b32c48