CVE-2023-24992: 
Siemens Tecnomatix Plant Simulation vulnerability analysis and mitigation

A vulnerability has been identified in Siemens Tecnomatix Plant Simulation (All versions < V2201.0006). The vulnerability (CVE-2023-24992) was discovered by Simon Janz and involves an out-of-bounds write past the end of an allocated buffer while parsing a specially crafted SPP file (Vendor Advisory, ZDI Advisory).

The vulnerability is classified with a CVSS v3.1 Base Score of 7.8 HIGH (Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). The specific flaw exists within the parsing of SPP files and results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated data structure. The vulnerability is tracked as CWE-787 (Out-of-bounds Write) (ZDI Advisory).

If successfully exploited, this vulnerability could allow an attacker to execute arbitrary code in the context of the current process. The attack requires user interaction in that the target must visit a malicious page or open a malicious file (ZDI Advisory).

Siemens has released an update to correct this vulnerability. Users should upgrade to version V2201.0006 or later to address this security issue (ZDI Advisory).