Multiple Memory Corruption Vulnerabilities in Simcenter Femap

Plan Patch7.8SSA-881356Dec 10, 2024

Attack VectorLocal

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

Simcenter Femap V2306, V2401, and V2406 contain multiple memory corruption vulnerabilities (CWE-122, CWE-119) in the BDF file parser. When a user opens a malicious BDF file, the application may crash or execute arbitrary code with user privileges. Siemens has released an update for V2406 and is preparing fixes for other versions.

What this means

What could happen

If an engineer opens a malicious BDF file in Simcenter Femap, the application could crash, lose unsaved work, or execute arbitrary code with the privileges of the user account running Femap.

Who's at risk

Mechanical and structural engineers, CAD/CAM departments, and design teams using Simcenter Femap for finite element analysis and NASTRAN model preparation. This affects any organization relying on Femap for mechanical simulation, product design, or structural analysis workflows.

How it could be exploited

An attacker sends a crafted BDF (finite element analysis) file to an engineer. When the engineer opens the file in Femap to review or analyze the model, the memory corruption vulnerability is triggered, causing a crash or code execution. The attack requires user interaction (opening the file) and works only on the local machine where Femap runs.

Prerequisites

User must open a malicious BDF file in Simcenter Femap
User must be tricked or socially engineered to open the file
The file must be in BDF format (NASTRAN bulk data format)

Low complexity attackUser interaction requiredArbitrary code execution possibleLocal attack vector onlyNo fixes available for V2301 and V2401

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (3)

1 with fix2 EOL

ProductAffected VersionsFix Status

Simcenter Femap V2406All versionsLatest version via Femap 2406 Nastran Updates package

Simcenter Femap V2401All versionsNo fix (EOL)

Simcenter Femap V2306All versionsNo fix (EOL)

Remediation & Mitigation

0/4

Do now

0/2

HARDENINGLimit BDF file access: Configure file sharing and email filters to restrict distribution of BDF files from external sources

HARDENINGEducate engineers on the risk of opening BDF files from untrusted sources; implement file validation or scanning procedures before opening files in Femap

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

Simcenter Femap V2406

HOTFIXUpdate Simcenter Femap V2406 to the latest version using the Femap 2406 Nastran Updates package from Siemens support portal

All products

WORKAROUNDMonitor Siemens support for updates to Femap V2301, V2401, and other affected versions

CVEs (2)

CVE-2024-41981 CVE-2024-47046

View full Siemens ProductCERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/5b0deefd-eec4-444d-95bb-d7bb8920bba4