CVE-2024-24920: 
Siemens Simcenter Femap vulnerability analysis and mitigation

A vulnerability (CVE-2024-24920) has been identified in Simcenter Femap (all versions prior to V2401.0000). The vulnerability is characterized by an out-of-bounds write condition that occurs while parsing specially crafted Catia MODEL files. This security flaw was discovered and reported through the Zero Day Initiative program (Siemens Advisory, CISA Advisory).

The vulnerability is classified as an out-of-bounds write (CWE-787) that occurs when parsing specially crafted Catia MODEL files. It has been assigned a CVSS v3.1 base score of 7.8 (HIGH) with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, and a CVSS v4.0 base score of 7.3 with the vector string CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N. The vulnerability specifically involves writing past the end of an allocated buffer during file parsing operations (ZDI Advisory).

If successfully exploited, this vulnerability could allow an attacker to execute arbitrary code in the context of the current process. The attack requires user interaction, specifically opening a malicious Catia MODEL file. The potential impact includes complete compromise of system confidentiality, integrity, and availability within the scope of the application's privileges (Siemens Advisory).

Siemens has released version V2401.0000 as a fix for this vulnerability. Users are strongly recommended to update to this version or later. As a workaround, Siemens advises users not to open untrusted Catia MODEL files using Simcenter Femap. Additionally, it is recommended to protect network access to devices with appropriate mechanisms and configure the environment according to Siemens' operational guidelines for Industrial Security (Siemens Advisory).