CVE-2024-32058: 
Siemens Simcenter Femap vulnerability analysis and mitigation

A memory corruption vulnerability has been identified in Simcenter Femap (versions prior to V2406) that affects the parsing of specially crafted IGS files. The vulnerability was discovered by Trend Micro Zero Day Initiative (ZDI-CAN-21563) and was assigned CVE-2024-32058. The issue was publicly disclosed on May 14, 2024, and affects the core functionality of the Simcenter Femap application (Siemens Advisory).

The vulnerability stems from improper restriction of operations within the bounds of a memory buffer (CWE-119) while parsing IGS files. The severity of this vulnerability is rated as HIGH with a CVSS v3.1 base score of 7.8 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) and a CVSS v4.0 base score of 7.3 (CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N). The vulnerability requires local access and user interaction to exploit (ZDI Advisory).

If successfully exploited, this vulnerability could allow an attacker to execute arbitrary code in the context of the current process. The impact is significant as it affects the confidentiality, integrity, and availability of the system, with all three aspects rated as HIGH in the CVSS scoring (CISA Advisory).

Siemens has released version V2406 of Simcenter Femap to address this vulnerability. Users are recommended to update to this version or later. As a workaround, Siemens advises users not to open untrusted IGS files in the affected applications. Additionally, they recommend protecting network access to devices with appropriate mechanisms and following Siemens' operational guidelines for Industrial Security (Siemens Advisory).