Full Report
Solid Edge is affected by multiple memory corruption vulnerabilities that could be triggered when the application reads specially crafted files in various formats such as DWG, IFC, OBJ or STP format. If a user is tricked to open a malicious file with the affected application, an attacker could leverage the vulnerability to crash the application or execute arbitrary code. Siemens has released several updates for Solid Edge SE2023 and recommends to update to the latest version.
Analysis Summary
# Vulnerability: Multiple File Parsing Vulnerabilities in Solid Edge
## CVE Details
- **CVE ID:** CVE-2023-39549, CVE-2023-30986, CVE-2023-30985, CVE-2023-0973
- **CVSS Score:** 7.8 (High) - Maximum Base Score
- **CWE:**
- CWE-416: Use After Free
- CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer
- CWE-125: Out-of-bounds Read
- CWE-476: NULL Pointer Dereference
## Affected Systems
- **Products:** Siemens Solid Edge SE2023
- **Versions:**
- All versions prior to V223.0 Update 2 (All CVEs)
- All versions prior to V223.0 Update 3 (Specifically CVE-2023-30985 and CVE-2023-30986)
- **Configurations:** Systems where Solid Edge is used to open 3D design and CAD file formats.
## Vulnerability Description
The vulnerabilities exist in the file parsing engines of Solid Edge. When processing specifically crafted files in formats such as **DWG, IFC, OBJ, or STP**, the application fails to properly validate memory boundaries or object lifecycles.
- **CVE-2023-39549 (DWG):** A Use-after-free flaw during DWG parsing.
- **CVE-2023-30986 (STP):** Memory corruption (Buffer Overflow/Improper Restriction) during STP parsing.
- **CVE-2023-30985 (OBJ):** Out-of-bounds read during OBJ parsing.
- **CVE-2023-0973 (IFC):** Null pointer dereference in the third-party STEPTools `ifcmesh` library.
## Exploitation
- **Status:** PoC available (Indicated by "E:P" in CVSS vectors and ZDI tracking numbers). No widespread exploitation in the wild reported.
- **Complexity:** Low to High (Format dependent, generally requiring user interaction).
- **Attack Vector:** Local (Requires a user to open a malicious file).
## Impact
- **Confidentiality:** High (Risk of data disclosure and memory contents leak).
- **Integrity:** High (Potential for arbitrary code execution in the context of the current process).
- **Availability:** High (Potential for application crash and Denial of Service).
## Remediation
### Patches
- **Solid Edge SE2023 V223.0 Update 2:** Resolves CVE-2023-39549.
- **Solid Edge SE2023 V223.0 Update 3:** Resolves CVE-2023-30985 and CVE-2023-30986.
- Siemens recommends updating to the **latest available version** (Update 3 or later) immediately.
### Workarounds
- Avoid opening untrusted or "specially crafted" files received from unknown or suspicious sources.
- Apply general industrial security operational guidelines to isolate workstations from unnecessary network exposure.
## Detection
- **Indicators of Compromise:** Unexpected application crashes when opening common CAD file formats (DWG, IFC, OBJ, STP).
- **Detection methods and tools:** Monitoring for unusual subprocess spawning from `SolidEdge.exe`. Use of Endpoint Detection and Response (EDR) tools to monitor for memory corruption exploitation attempts.
## References
- Siemens Security Advisory SSA-932528: hxxps://cert-portal.siemens[.]com/productcert/pdf/ssa-932528.pdf
- Siemens Support Portal: hxxps://support.sw.siemens[.]com/
- CISA Advisory (STEPTools): hxxps://www.cisa[.]gov/news-events/ics-advisories/icsa-23-068-04
- Siemens Industrial Security Guidelines: hxxps://www.siemens[.]com/cert/operational-guidelines-industrial-security