Multiple File Parsing Vulnerabilities in Solid Edge V2024

Plan Patch7.8SSA-730188Dec 10, 2024

Attack VectorLocal

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

Siemens Solid Edge SE2024 contains multiple file parsing vulnerabilities in its handling of PAR and ASM file formats. These vulnerabilities can be triggered when a user opens a malicious file, potentially leading to application crash or arbitrary code execution. The vulnerabilities involve buffer overflow (CWE-122) and wraparound issues (CWE-191) in the file parsing logic.

What this means

What could happen

An attacker could trick a user into opening a malicious CAD file (PAR or ASM format), which could crash Solid Edge or potentially allow the attacker to run arbitrary code on the engineering workstation with the user's privileges.

Who's at risk

Engineering and design teams using Solid Edge SE2024 for CAD work. This affects manufacturers, design firms, and utilities that rely on Solid Edge for equipment design and documentation. The vulnerability requires user interaction, so it primarily affects designers and engineers who work with external or untrusted CAD files.

How it could be exploited

An attacker crafts a malicious Solid Edge file (PAR or ASM) and socially engineers an engineer or designer to open it. When the file is parsed by Solid Edge, the vulnerability in the file parsing code is triggered, leading to memory corruption or code execution on the workstation.

Prerequisites

User with Solid Edge installed must open a malicious PAR or ASM file
User interaction required (file must be opened manually)
Affected version of Solid Edge must be installed

User interaction requiredAffects engineering workstationsCould lead to arbitrary code executionFile parsing vulnerability

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (2)

2 with fix

ProductAffected VersionsFix Status

Solid Edge SE2024All versions < V224.0 Update 5224.0 Update 5

Solid Edge SE2024All versions < V224.0 Update 10224.0 Update 10

Remediation & Mitigation

0/4

Do now

0/1

HARDENINGEducate users not to open PAR or ASM files from untrusted sources

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

Solid Edge SE2024

HOTFIXUpdate Solid Edge SE2024 to V224.0 Update 5 or later

HOTFIXUpdate Solid Edge SE2024 to V224.0 Update 10 or later

Long-term hardening

0/1

HARDENINGRestrict file sharing and email attachments containing CAD files to trusted internal sources only

CVEs (3)

CVE-2024-54093 CVE-2024-54094 CVE-2024-54095

View full Siemens ProductCERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/f4bc5529-1b9e-4604-91b0-94d2c1820863