Multiple Memory Corruption Vulnerabilities in Solid Edge

Plan Patch7.8SSA-589937May 14, 2024

Attack VectorLocal

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

Solid Edge is affected by multiple memory corruption vulnerabilities (CWE-122, CWE-125, CWE-121) that can be triggered when parsing PAR files. If a user opens a malicious PAR file, an attacker can execute arbitrary code in the application's context.

What this means

What could happen

An attacker can execute arbitrary code on an engineering workstation running Solid Edge by tricking a user into opening a malicious PAR file, potentially allowing access to design files, credentials, or lateral movement within the plant network.

Who's at risk

Design and engineering teams using Solid Edge for CAD/mechanical design work are affected. This includes any organization where engineers, drafters, or designers use Solid Edge for manufacturing, plant design, or equipment design—particularly in industries like water utilities, power generation, and chemical processing where design modifications could impact operations.

How it could be exploited

An attacker crafts a malicious PAR file and sends it to an engineer via email or hosts it on a compromised website. When the engineer opens the file in Solid Edge, the memory corruption vulnerabilities are triggered, allowing the attacker to execute arbitrary code with the engineer's privileges on their workstation.

Prerequisites

User must open a malicious PAR file in Solid Edge
No network connectivity required
No authentication bypass needed

Requires user interaction (file open)Local execution onlyLow exploit complexityAffects engineering workstations with access to sensitive design data

Exploitability

Low exploit probability (EPSS 0.3%)

Affected products (3)

3 with fix

ProductAffected VersionsFix Status

Solid EdgeAll versions < V224.0 Update 5224.0 Update 5

Solid EdgeAll versions < V224.0 Update 2224.0 Update 2

Solid EdgeAll versions < V224.0 Update 4224.0 Update 4

Remediation & Mitigation

0/3

Do now

0/1

HARDENINGTrain engineers and drafters not to open PAR files from untrusted sources

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

Solid Edge

HOTFIXUpdate Solid Edge to V224.0 Update 5 or later

Long-term hardening

0/1

HARDENINGRestrict file sharing and email attachments to known trusted sources where feasible

CVEs (8)

CVE-2024-33489 CVE-2024-33490 CVE-2024-33491 CVE-2024-33492 CVE-2024-33493 CVE-2024-34771 CVE-2024-34772 CVE-2024-34773

View full Siemens ProductCERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/6651a239-eca6-4cef-b858-dadaa402669a