Full Report
Questa and ModelSim (incl. OEM Editions) are affected by a vulnerability that could allow a local attacker to inject arbitrary code and escalate privileges. Siemens has released new versions for the affected products and recommends to update to the latest versions.
Analysis Summary
# Vulnerability: Local Code Execution in Questa and ModelSim
## CVE Details
- **CVE ID:** CVE-2024-53977
- **CVSS Score:** 6.7 (Medium) - CVSS v3.1 / 5.4 (Medium) - CVSS v4.0
- **CWE:** CWE-427: Uncontrolled Search Path Element
## Affected Systems
- **Products:**
- Siemens Questa (including OEM Editions)
- Siemens ModelSim (including OEM Editions)
- **Versions:** All versions prior to V2025.1
- **Configurations:** Systems where administrators or high-privilege processes execute setup scripts from user-writable directories.
## Vulnerability Description
The vulnerability exists due to an insecure example setup script bundled with the affected software. This script attempts to load a specific executable file from the current working directory without sufficient path validation. This creates a "binary planting" or search path hijacking scenario. If a user with elevated privileges runs this script in a directory where a malicious actor has placed a crafted executable, the script will execute that malicious file with the privileges of the executing user.
## Exploitation
- **Status:** Not exploited (No reports of active exploitation in the wild or public PoC provided in the advisory).
- **Complexity:** High (Requires specific environmental conditions and user interaction).
- **Attack Vector:** Local (Attacker must have local access to the system to place the malicious file).
## Impact
- **Confidentiality:** High (Successful exploitation allows unauthorized access to data).
- **Integrity:** High (Attacker can modify system files and inject arbitrary code).
- **Availability:** High (Attacker could potentially crash the system or disrupt services).
## Remediation
### Patches
Siemens recommends updating to the following versions:
- **ModelSim:** Update to V2025.1 or later.
- **Questa:** Update to V2025.1 or later.
Patches can be downloaded via the Siemens Support Center:
- [https[:]//support[.]sw[.]siemens[.]com/product/852852093/]
- [https[:]//support[.]sw[.]siemens[.]com/product/852852103/]
### Workarounds
The advisory does not provide specific technical workarounds other than following general security best practices:
- Avoid running setup scripts from untrusted or user-writable directories.
- Strictly follow the principle of least privilege (PoLP).
## Detection
- **Indicators of Compromise:** Presence of unexpected or unauthorized executable files in common working directories used for Questa/ModelSim simulations.
- **Detection Methods:** Audit the use of setup scripts; monitor for unexpected processes spawned by administrators or high-privilege accounts originating from the Questa/ModelSim installation directories.
## References
- **Siemens Security Advisory SSA-637914:** [https[:]//cert-portal[.]siemens[.]com/productcert/pdf/ssa-637914[.]pdf]
- **Siemens Industrial Security Guidelines:** [https[:]//www[.]siemens[.]com/cert/operational-guidelines-industrial-security]