On July 11, 2024, Siemens released an advisory concerning critical vulnerabilities in Simcenter Femap, rated CVSS v4 7.3. The vulnerabilities include out-of-bounds reads and writes, type confusion, and stack-based buffer overflows. These issues affect versions of Simcenter Femap released before V2406 and could potentially allow attackers to execute code within the context of the current process.
The vulnerabilities identified in Simcenter Femap include several out-of-bounds read and write errors, type confusion problems, and a stack-based buffer overflow. These flaws arise from the way the application handles specially crafted IGS and BMP files. They are assigned CVE identifiers ranging from CVE-2024-32055 to CVE-2024-33654, all with high severity ratings.
Siemens recommends updating to Simcenter Femap version V2406 or later to address these issues. In addition to the update, Siemens advises against opening untrusted IGS, BDF, or BMP files and suggests employing network access protection measures. Organizations are encouraged to follow Siemens’ guidelines for operating devices securely and to apply general cybersecurity practices.
The Cybersecurity and Infrastructure Security Agency (CISA) also recommends minimizing network exposure, using firewalls, and securing remote access with VPNs. CISA advises conducting thorough risk assessments before implementing defensive measures and provides additional resources on industrial control system cybersecurity best practices. Despite the critical nature of these vulnerabilities, there is no known public exploitation reported at this time.