CVE-2023-24558:Out-of-bounds read vulnerability in Siemens Solid Edge allows code execution via crafted PAR files

splash
Back

Description Preview

A vulnerability has been identified in Siemens Solid Edge SE2022 (All versions < V222.0MP12) and Solid Edge SE2023 (All versions < V223.0Update2). The affected applications contain an out-of-bounds read vulnerability that occurs when parsing specially crafted PAR files. When processing these malicious files, the application reads past the end of an allocated structure, which could allow an attacker to execute arbitrary code in the context of the current process. This vulnerability requires user interaction as the victim would need to open a specially crafted PAR file.

Overview

This vulnerability (CVE-2023-24558) affects Siemens Solid Edge CAD software, specifically versions SE2022 (all versions before V222.0MP12) and SE2023 (all versions before V223.0Update2). The vulnerability is an out-of-bounds read issue that occurs during the parsing of PAR files. When exploited successfully, an attacker can potentially execute arbitrary code with the same privileges as the user running the application.

The attack vector requires social engineering to convince a user to open a maliciously crafted PAR file. Once opened, the vulnerable code reads beyond the allocated memory structure, which can lead to code execution. This type of memory safety vulnerability is particularly dangerous in design software that routinely opens files from various sources.

Remediation

To remediate this vulnerability, users should implement the following measures:

  1. Update to the latest version of Siemens Solid Edge:

    • For SE2022: Update to V222.0MP12 or later
    • For SE2023: Update to V223.0Update2 or later

  2. If immediate patching is not possible, implement these mitigations:

    • Avoid opening PAR files from untrusted sources
    • Implement the principle of least privilege for users working with Solid Edge
    • Consider using application isolation or sandboxing technologies when opening untrusted files
    • Scan all PAR files with up-to-date security software before opening

  3. Monitor Siemens Product CERT advisories for any additional information or updated patches related to this vulnerability.

References

  1. Siemens Security Advisory: https://cert-portal.siemens.com/productcert/pdf/ssa-491245.pdf
  2. MITRE CVE Entry: CVE-2023-24558
  3. Siemens ProductCERT Portal: https://cert-portal.siemens.com/

Industry ExposureMost to least
This section illustrates the prevalence of a specific Common Vulnerabilities and Exposures (CVE) across various industries based on customer reports. The ranking displays industries from the most to least affected by this particular vulnerability, offering valuable insight into where this CVE has been most frequently observed. This information can help organizations within these sectors prioritize their security efforts, understand their relative risk exposure compared to their peers, and focus remediation strategies where they are most needed. By understanding the industry-specific impact, organizations can make more informed decisions regarding patching, resource allocation, and overall risk management related to this CVE.

  1. Manufacturing
    Manufacturing
  2. Arts, Entertainment & Recreation
    Arts, Entertainment & Recreation
  3. Health Care & Social Assistance
    Health Care & Social Assistance
  4. Public Administration
    Public Administration
  5. Educational Services
    Educational Services
  6. Information
    Information
  7. Management of Companies & Enterprises
    Management of Companies & Enterprises
  8. Professional, Scientific, & Technical Services
    Professional, Scientific, & Technical Services
  9. Retail Trade
    Retail Trade
  10. Wholesale Trade
    Wholesale Trade
  11. Accommodation & Food Services
    Accommodation & Food Services
  12. Administrative, Support, Waste Management & Remediation Services
    Administrative, Support, Waste Management & Remediation Services
  13. Agriculture, Forestry Fishing & Hunting
    Agriculture, Forestry Fishing & Hunting
  14. Construction
    Construction
  15. Finance and Insurance
    Finance and Insurance
  16. Mining
    Mining
  17. Other Services (except Public Administration)
    Other Services (except Public Administration)
  18. Real Estate Rental & Leasing
    Real Estate Rental & Leasing
  19. Transportation & Warehousing
    Transportation & Warehousing
  20. Utilities
    Utilities

Focus on What Matters

  1. See Everything.
  2. Identify True Risk.
  3. Proactively Mitigate Threats.

Let's talk!

background