Multiple File Parsing Vulnerabilities in Solid Edge before V223 Update 7

Plan Patch7.8SSA-811403Aug 8, 2023

Attack VectorLocal

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

Solid Edge SE2023 is affected by multiple memory corruption vulnerabilities (CWE-787 buffer overflow, CWE-125 out-of-bounds read) in file parsing routines. Vulnerabilities are triggered when the application reads specially crafted files in DFT, PAR, or PSM format. An attacker could leverage these vulnerabilities to crash the application or execute arbitrary code on the engineer's workstation.

What this means

What could happen

If an engineer opens a malicious Solid Edge design file, an attacker could crash the CAD application or execute arbitrary code on the engineering workstation, potentially compromising design data and gaining access to network resources that the workstation can reach.

Who's at risk

Engineering teams and design departments at utilities and manufacturers who use Solid Edge SE2023 for CAD work should care. Affected equipment includes engineering workstations running Solid Edge SE2023 before Update 7. Risk is highest for organizations where engineers receive design files from external sources or untrusted partners.

How it could be exploited

An attacker crafts a malicious DFT, PAR, or PSM file and tricks an engineer into opening it with Solid Edge. The vulnerable file parsing code reads the malicious file data, triggering a buffer overflow or out-of-bounds memory read. This results in application crash (denial of service) or arbitrary code execution on the engineer's workstation with the privileges of the user running Solid Edge.

Prerequisites

User interaction required: engineer must open the malicious file with Solid Edge
Solid Edge SE2023 version earlier than 223.0 Update 7 must be installed
File must be in a supported format (DFT, PAR, PSM)

requires user interaction to open malicious filelow complexity exploitaffects engineering workstations (integrity of design data at risk)high impact if code execution achieved

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (1)

ProductAffected VersionsFix Status

Solid Edge SE2023< V223.0 Update 7223.0 Update 7

Remediation & Mitigation

0/1

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Solid Edge SE2023 to version 223.0 Update 7 or later

CVEs (9)

CVE-2023-39181 CVE-2023-39182 CVE-2023-39183 CVE-2023-39184 CVE-2023-39185 CVE-2023-39186 CVE-2023-39187 CVE-2023-39188 CVE-2023-39419

View full Siemens ProductCERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/408f1e3c-fb69-49bc-9ad1-9cd54b2d8a78