Full Report
Siemens Tecnomatix Plant Simulation contains multiple file parsing vulnerabilities that could be triggered when the application reads files in WRL, PSOBJ or SPP file formats. If a user is tricked to open a malicious file with any of the affected products, this could lead the application to crash or potentially lead to arbitrary code execution. Siemens has released new versions for several affected products and recommends to update to the latest versions. Siemens recommends specific countermeasures for products where fixes are not, or not yet available.
Analysis Summary
# Vulnerability: Multiple File Parsing Flaws in Siemens Tecnomatix Plant Simulation
## CVE Details
- **CVE IDs:**
- CVE-2024-23795, CVE-2024-23796, CVE-2024-23797, CVE-2024-23798, CVE-2024-23799, CVE-2024-23800, CVE-2024-23801, CVE-2024-23802, CVE-2024-23803, CVE-2024-23804
- **CVSS Score:**
- CVSS v3.1: 7.8 (High)
- CVSS v4.0: 7.3 (High)
- **CWE:**
- CWE-121 (Stack-based Buffer Overflow)
- CWE-122 (Heap-based Buffer Overflow)
- CWE-125 (Out-of-bounds Read)
- CWE-787 (Out-of-bounds Write)
## Affected Systems
- **Products:** Tecnomatix Plant Simulation
- **Versions:**
- **V2201:** All versions < V2201.0012 (Fixed for most CVEs); All versions (No fix planned for CVE-2024-23799 through 23803).
- **V2302:** All versions < V2302.0006 (Partial fix); All versions < V2302.0007 (Complete fix).
- **Configurations:** Systems where users open externally sourced project or geometry files.
## Vulnerability Description
The vulnerabilities exist within the file parsing engine of Tecnomatix Plant Simulation. When the application processes specially crafted files in **WRL (VRML)**, **PSOBJ**, or **SPP** formats, it fails to properly validate the input data. This leads to various memory corruption issues, including heap and stack-based buffer overflows, as well as out-of-bounds reads and writes.
## Exploitation
- **Status:** PoC available (CVSS Exploit Code Maturity: Functional/Proven).
- **Complexity:** Medium (Requires user interaction).
- **Attack Vector:** Local (The attacker must provide a malicious file to a user who then opens it with the affected software).
## Impact
- **Confidentiality:** High (Potential to read sensitive memory or execute arbitrary code).
- **Integrity:** High (Potential for arbitrary code execution in the context of the current process).
- **Availability:** High (Application crash or system instability).
## Remediation
### Patches
- **V2201:** Update to **V2201.0012** or later (Note: This does not address CVE-2024-23799, 23800, 23801, or 23803).
- **V2302:** Update to **V2302.0007** or later.
### Workarounds
- **Strict File Handling:** Do not open untrusted WRL, PSOBJ, or SPP files from unknown or untrusted sources.
- **Principle of Least Privilege:** Run the application with a non-privileged user account to limit the impact of potential code execution.
## Detection
- **Indicators of Compromise:** Unexpected application crashes when opening specific file types; unusual outbound network activity from the `PlantSimulation.exe` process.
- **Detection methods:** Use Endpoint Detection and Response (EDR) tools to monitor for buffer overflow attempts and suspicious child processes spawning from the Plant Simulation application.
## References
- **Siemens Advisory (SSA-017796):** hxxps://cert-portal.siemens[.]com/productcert/html/ssa-017796.html
- **Siemens Support Portal:** hxxps://support.sw.siemens[.]com/
- **Siemens ProductCERT:** hxxps://www.siemens[.]com/cert/advisories