OTPulse
FeedAboutContact

File Parsing Vulnerability in Solid Edge before V2023 MP1

Plan Patch7.8SSA-997779Jan 10, 2023
Attack VectorLocal
Auth RequiredNone
ComplexityLow
User InteractionRequired
Summary

Solid Edge before V2023 MP1 contains a memory corruption vulnerability in its file parsing logic for PAR, ASM, and DFT file formats. When a user opens a malicious file in one of these formats, an attacker can execute arbitrary code in the context of the Solid Edge process. The vulnerability requires user interaction (opening a file) and affects the privileges of the current user.

What this means
What could happen
A user who opens a malicious Solid Edge design file (PAR, ASM, or DFT format) could allow an attacker to execute arbitrary code on their engineering workstation with the privileges of the logged-in user.
Who's at risk
Engineering and design teams using Solid Edge CAD software on workstations. This affects anyone who opens design files from untrusted sources or could be targeted with malicious files sent via email or file-sharing services.
How it could be exploited
An attacker crafts a malicious Solid Edge design file and tricks a user into opening it (via email, file sharing, or social engineering). When the file is parsed, a memory corruption flaw is triggered, allowing the attacker to run arbitrary code on the workstation in the context of the user's session.
Prerequisites
  • User must open a malicious file with Solid Edge
  • Affected version of Solid Edge must be installed (before V2023 MP1)
  • User account credentials (whatever account is running Solid Edge)
user interaction required (file opening)affects engineering workstationsmemory corruption vulnerabilitycode execution possible
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (1)
ProductAffected VersionsFix Status
Solid Edge< V2023 MP12023 MP1
Remediation & Mitigation
0/1
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Solid Edge to V2023 MP1 or later
View full Siemens ProductCERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/ad9b366e-48d4-4ac5-959f-2faa66527560
File Parsing Vulnerability in Solid Edge before V2023 MP1 | CVSS 7.8 - OTPulse