CVE-2024-32065: 
Siemens Simcenter Femap vulnerability analysis and mitigation

A critical vulnerability (CVE-2024-32065) has been identified in Simcenter Femap (All versions < V2406). The vulnerability is an out-of-bounds read vulnerability that occurs while parsing specially crafted IGS files. This security flaw was discovered and reported by Trend Micro Zero Day Initiative (ZDI-CAN-21577) and was publicly disclosed on May 14, 2024 (Siemens Advisory).

The vulnerability is classified as an out-of-bounds read (CWE-125) that occurs when parsing specially crafted IGS files. It has received a CVSS v3.1 Base Score of 7.8 (HIGH) with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, and a CVSS v4.0 Base Score of 7.3 with the vector string CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N (ZDI Advisory).

If successfully exploited, this vulnerability could allow an attacker to execute arbitrary code in the context of the current process. The vulnerability requires user interaction, as the target must open a malicious IGS file (ZDI Advisory).

Siemens has released version V2406 of Simcenter Femap to address this vulnerability. Users are recommended to update to this version or later. As a workaround, Siemens advises users not to open untrusted IGS files using the affected application. Additionally, Siemens recommends configuring the environment according to their operational guidelines for Industrial Security (Siemens Advisory).