CVE-2021-46151: 
Siemens Simcenter Femap vulnerability analysis and mitigation

A vulnerability (CVE-2021-46151) was discovered in Siemens Simcenter Femap V2020.2 and V2021.1 (all versions). The vulnerability is related to an out-of-bounds write issue that occurs while parsing specially crafted NEU files. This vulnerability was discovered in 2021 and publicly disclosed on February 11, 2022 (ZDI Advisory, Siemens Advisory).

The vulnerability is classified as an out-of-bounds write (CWE-787) that occurs during the parsing of NEU files. The issue stems from improper validation of user-supplied data, which can result in a write operation past the end of an allocated data structure. The vulnerability has been assigned a CVSS v3.1 base score of 7.8 (High) with the vector string: AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H (CISA Advisory).

Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code in the context of the current process, potentially leading to complete compromise of the affected system's confidentiality, integrity, and availability (ZDI Advisory).

Siemens has released updates to address this vulnerability and recommends users update to Simcenter Femap v2022.1 or later. Additionally, users are advised not to open untrusted NEU files in Simcenter Femap. As a general security measure, Siemens recommends protecting network access with appropriate mechanisms and configuring the environment according to their operational guidelines for industrial security (CISA Advisory).