CVE-2024-24924: 
Siemens Simcenter Femap vulnerability analysis and mitigation

A vulnerability (CVE-2024-24924) has been identified in Simcenter Femap versions prior to V2306.0000. The vulnerability is related to an out-of-bounds write issue that occurs while parsing specially crafted Catia MODEL files. This security flaw was discovered and reported through the Zero Day Initiative (ZDI-CAN-22059) (Siemens Advisory, ZDI Advisory).

The vulnerability is classified as an out-of-bounds write (CWE-787) vulnerability. It has been assigned a CVSS v3.1 base score of 7.8 (HIGH) with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, and a CVSS v4.0 score of 7.3 with the vector string CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N. The vulnerability specifically involves writing past the end of an allocated buffer during the parsing of Catia MODEL files (CISA Advisory, Siemens Advisory).

If successfully exploited, this vulnerability could allow an attacker to execute arbitrary code in the context of the current process. The vulnerability requires user interaction, specifically opening a malicious file, to be exploited (ZDI Advisory, Siemens Advisory).

Siemens has released version V2306.0000 to address this vulnerability. Users are recommended to update to this version or later. Additionally, Siemens recommends not opening untrusted Catia MODEL files using Simcenter Femap. As a general security measure, it is recommended to protect network access to devices with appropriate mechanisms and configure the environment according to Siemens' operational guidelines for industrial security (Siemens Advisory).