Multiple IGS File Parsing Vulnerabilities in PS/IGES Parasolid Translator Component before V27.1.215

Plan Patch7.8SSA-976324May 14, 2024

Attack VectorLocal

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

PS/IGES Parasolid Translator Component contains multiple file parsing vulnerabilities (buffer overflow, out-of-bounds read, type confusion) that can be triggered when the application reads malicious IGS (IGES) file format data. Exploitation requires a user to open a crafted file, which could cause the application to crash or lead to arbitrary code execution on the workstation.

What this means

What could happen

A user tricked into opening a malicious IGS (IGES) file could crash the application or allow an attacker to execute arbitrary code on the engineering workstation running the Parasolid Translator.

Who's at risk

Design and engineering teams using Siemens Parasolid CAD software for mechanical design, particularly those who work with IGES file imports from external suppliers or customers. This affects any user on engineering workstations running the Parasolid Translator component before version 27.1.215.

How it could be exploited

An attacker crafts a malicious IGS file with specially formatted data that exploits parsing vulnerabilities in the Parasolid Translator. When an engineer or technician opens the file, the parser's buffer handling flaws (CWE-119, CWE-125) or type confusion issues (CWE-843) are triggered, leading to a crash or code execution on that workstation.

Prerequisites

User interaction required: victim must open a malicious IGS file
Parasolid Translator application installed and in use
File can be delivered via email, file share, or download

User interaction requiredAffects engineering workstationsLocal code execution possibleNo authentication needed once file is opened

Exploitability

Low exploit probability (EPSS 0.2%)

Affected products (1)

ProductAffected VersionsFix Status

PS/IGES Parasolid Translator Component<V27.1.21527.1.215

Remediation & Mitigation

0/1

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate PS/IGES Parasolid Translator Component to version 27.1.215 or later

CVEs (11)

CVE-2024-32055 CVE-2024-32057 CVE-2024-32058 CVE-2024-32059 CVE-2024-32060 CVE-2024-32061 CVE-2024-32062 CVE-2024-32063 CVE-2024-32064 CVE-2024-32065 CVE-2024-32066

View full Siemens ProductCERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/bca851f2-74dc-4621-9f88-ae47e681294a