OTPulse
FeedAboutContact

Out of Bounds Write Vulnerability in Parasolid

Plan Patch7.8SSA-979056Dec 10, 2024
Attack VectorLocal
Auth RequiredNone
ComplexityLow
User InteractionRequired
Summary

Parasolid is affected by an out-of-bounds write vulnerability in the X_T file parser. When a user opens a specially crafted X_T format file, the vulnerability can be triggered to write beyond allocated memory boundaries, potentially enabling arbitrary code execution in the context of the application process.

What this means
What could happen
An attacker can embed malicious code in an X_T CAD file that, when opened by an engineer using Parasolid, executes arbitrary commands on their workstation with full user privileges. This could compromise engineering data, design files, and potentially allow lateral movement into the network.
Who's at risk
Engineering and design departments using Siemens Parasolid for CAD/CAM work, particularly in manufacturing, aerospace, automotive, and utilities sectors. This affects any workstation running affected Parasolid versions where engineers handle X_T files from external or untrusted sources.
How it could be exploited
Attacker crafts a malicious X_T format file (Parasolid's native geometry format) and tricks an engineer into opening it. When parsed by Parasolid, the out-of-bounds write in the file parser overwrites memory and achieves code execution in the CAD application's process context.
Prerequisites
  • User must open a malicious X_T file in Parasolid
  • Vulnerable version of Parasolid must be in use (V36.1 < 225 or V37.0 < 173)
  • No special privileges or credentials required
No authentication requiredLow complexity attackUser interaction required (opening file)High CVSS score (7.8)Affects engineering workstations with design data access
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (2)
2 with fix
ProductAffected VersionsFix Status
Parasolid V36.1< V36.1.22536.1.225
Parasolid V37.0< V37.0.17337.0.173
Remediation & Mitigation
0/4
Do now
0/2
WORKAROUNDEducate engineers not to open X_T files from untrusted sources or unsolicited emails until patched
HARDENINGImplement file type restrictions or email gateway controls to block X_T files from external senders
Schedule — requires maintenance window
0/2

Patching may require device reboot — plan for process interruption

Parasolid V36.1
HOTFIXUpdate Parasolid V36.1 to version 36.1.225 or later
Parasolid V37.0
HOTFIXUpdate Parasolid V37.0 to version 37.0.173 or later
View full Siemens ProductCERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/3f561484-75ab-4288-bec2-bff167bda8be