CVE-2024-24923: 
Siemens Simcenter Femap vulnerability analysis and mitigation

A vulnerability (CVE-2024-24923) has been identified in Siemens Simcenter Femap (versions prior to V2401.0000 and V2306.0001). The vulnerability is characterized as an out-of-bounds read issue that occurs while parsing specially crafted Catia MODEL files. This security flaw was discovered and reported through the Zero Day Initiative (ZDI-CAN-22055) (Siemens Advisory, ZDI Advisory).

The vulnerability is classified as an out-of-bounds read (CWE-125) that occurs when parsing specially crafted Catia MODEL files. It has been assigned a CVSS v3.1 base score of 7.8 (HIGH) with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, and a CVSS v4.0 score of 7.3 with the vector string CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N. The issue specifically results from the lack of proper validation of user-supplied data, which can result in a read before the start of an allocated data structure (CISA Advisory, ZDI Advisory).

If successfully exploited, this vulnerability could allow an attacker to execute arbitrary code in the context of the current process. The vulnerability requires user interaction, specifically opening a malicious file, to be exploited (Siemens Advisory, CISA Advisory).

Siemens has released updates to address this vulnerability and recommends users to update to version V2401.0000 or later, or V2306.0001 or later. Additionally, users are advised not to open untrusted Catia MODEL files using Simcenter Femap. As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms and configuring the environment according to Siemens' operational guidelines for Industrial Security (Siemens Advisory).