CVE-2024-24922: 
Siemens Simcenter Femap vulnerability analysis and mitigation

A vulnerability (CVE-2024-24922) has been identified in Simcenter Femap (All versions < V2401.0000). The vulnerability is an out-of-bounds write issue that occurs when parsing specially crafted Catia MODEL files. This security flaw was discovered and reported through the Zero Day Initiative program, with the initial public disclosure occurring on February 13, 2024 (Siemens Advisory, CISA Advisory).

The vulnerability is classified as an out-of-bounds write (CWE-787) that occurs during the parsing of Catia MODEL files within the CatiaV420222 executable. The issue stems from inadequate validation of user-supplied data, which can result in a write operation past the end of an allocated data structure. The vulnerability has been assigned a CVSS v3.1 base score of 7.8 (HIGH) with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, and a CVSS v4.0 base score of 7.3 (ZDI Advisory, Siemens Advisory).

If successfully exploited, this vulnerability could allow an attacker to execute arbitrary code in the context of the current process. The attack requires user interaction, specifically opening a malicious file, but could lead to complete system compromise with the same privileges as the application (CISA Advisory, ZDI Advisory).

Siemens has released version V2401.0000 to address this vulnerability and recommends users update to this version or later. As additional mitigation, users are advised not to open untrusted Catia MODEL files using Simcenter Femap. Organizations should also protect network access to devices with appropriate mechanisms and configure their environment according to Siemens' operational guidelines for Industrial Security (Siemens Advisory).