Full Report
Siemens Tecnomatix Plant Simulation contains multiple vulnerabilities that could be triggered when the application reads SPP and IGS files. If a user is tricked to open a malicious file using the affected application, this could lead to a crash, and potentially also to arbitrary code execution on the target host system. Siemens has released updates for the affected products and recommends to update to the latest versions.
Analysis Summary
# Vulnerability: File Parsing Vulnerabilities in Siemens Tecnomatix Plant Simulation
## CVE Details
- **CVE IDs:**
- CVE-2023-45601 (Stack-based Buffer Overflow)
- CVE-2023-45204 (Type Confusion)
- CVE-2023-44087 (Out-of-bounds Read)
- *Note: Advisory also covers CVE-2023-44081 through CVE-2023-44086.*
- **CVSS Score:** 7.8 (High)
- **CWE:** CWE-121, CWE-704, CWE-125
## Affected Systems
- **Products:**
- Siemens Tecnomatix Plant Simulation
- Siemens Parasolid (Geometric modeling kernel)
- **Versions:**
- Tecnomatix Plant Simulation V2201: All versions < V2201.0009
- Tecnomatix Plant Simulation V2302: All versions < V2302.0003
- Parasolid V35.0: All versions < V35.0.262
- Parasolid V35.1: All versions < V35.1.250
- Parasolid V36.0: All versions < V36.0.169
- **Configurations:** Systems where users interact with and import external 3D modeling files.
## Vulnerability Description
Multiple vulnerabilities exist in the file parsing engines of Tecnomatix Plant Simulation and the underlying Parasolid kernel. The flaws are triggered when the application processes specially crafted **SPP** or **IGS** (IGES) files.
Technical issues include:
1. **Stack-based Buffer Overflow (CWE-121):** Improper bounds checking during IGS file parsing.
2. **Type Confusion (CWE-704):** Incorrect type conversion or casting when processing IGS files.
3. **Out-of-bounds Read (CWE-125):** Reading past the end of allocated structures when parsing SPP files.
## Exploitation
- **Status:** PoC available (CVSS Exploit Code Maturity: Functional/Proven).
- **Complexity:** Low (Requires a user to open a malicious file).
- **Attack Vector:** Local (User interaction required).
## Impact
- **Confidentiality:** High (Potential for memory dumping and information disclosure).
- **Integrity:** High (Potential for arbitrary code execution in the context of the process).
- **Availability:** High (Application crash/Denial of Service).
## Remediation
### Patches
- **Tecnomatix Plant Simulation V2201:** Update to V2201.0009 or later.
- **Tecnomatix Plant Simulation V2302:** Update to V2302.0003 or later.
- **Parasolid V35.0:** Update to V35.0.262 or later.
- **Parasolid V35.1:** Update to V35.1.250 or later.
- **Parasolid V36.0:** Update to V36.0.169 or later.
### Workarounds
- **Strict File Handling:** Do not open untrusted or suspicious SPP or IGS files from unknown sources.
- **Principle of Least Privilege:** Run the application under a non-privileged user account to limit the impact of potential code execution.
## Detection
- **Indicators of Compromise:** Unexpected application crashes (segmentation faults) when importing SPP or IGS files.
- **Detection Methods:** Monitor for unusual child processes spawning from the Tecnomatix Plant Simulation executable. Use endpoint detection and response (EDR) tools to scan for known malicious patterns in IGES/SPP file headers.
## References
- **Siemens Security Advisory:** hxxps://cert-portal.siemens.com/productcert/pdf/ssa-524778.pdf
- **Siemens Support Portal:** hxxps://support.sw.siemens.com/
- **Industrial Security Guidelines:** hxxps://www.siemens.com/cert/operational-guidelines-industrial-security