CVE-2024-32066: 
Siemens Simcenter Femap vulnerability analysis and mitigation

A vulnerability has been identified in Simcenter Femap (versions prior to V2406) that involves an out-of-bounds read vulnerability when parsing specially crafted IGS files. The vulnerability was discovered by Trend Micro Zero Day Initiative (ZDI-CAN-21578) and was assigned CVE-2024-32066. The issue was publicly disclosed on May 14, 2024, and affects the IGS file parsing functionality in Simcenter Femap software (Siemens Advisory).

The vulnerability is classified as an out-of-bounds read (CWE-125) that occurs when parsing specially crafted IGS files. It has received a CVSS v3.1 base score of 7.8 (HIGH) with vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, and a CVSS v4.0 base score of 7.3 with vector string CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N. The vulnerability specifically involves reading past the end of an allocated structure during the processing of IGS files (ZDI Advisory).

If successfully exploited, this vulnerability could allow an attacker to execute arbitrary code in the context of the current process. The impact is considered high as it could potentially lead to complete compromise of the affected system's confidentiality, integrity, and availability (Siemens Advisory).

Siemens has released version V2406 of Simcenter Femap to address this vulnerability. Users are recommended to update to this version or later. As a workaround, Siemens advises users not to open untrusted IGS files in the affected applications. Additionally, Siemens recommends configuring the environment according to their operational guidelines for Industrial Security (Siemens Advisory).