https://cert-portal.siemens.com/productcert/html/ssa-976324.html <br/></td> CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"/>https://cert-portal.siemens.com/productcert/html/ssa-976324.html <br/></td> CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"/>
Access of Resource Using Incompatible Type ('Type Confusion') (CWE-843)
This vulnerability affects Siemens Simcenter Femap installations, specifically within the IGES_2022_2 executable's parsing of IGS files. The flaw stems from inadequate validation of user-supplied data, resulting in a type confusion condition. This vulnerability allows remote attackers to execute arbitrary code on affected systems, though user interaction is required for exploitation.
If successfully exploited, an attacker can execute arbitrary code in the context of the current process on affected Siemens Simcenter Femap installations. This could lead to unauthorized access, data manipulation, or further system compromise. The vulnerability has high impacts on confidentiality, integrity, and availability of the affected system.
One proof-of-concept exploit is available on zerodayinitiative.com. There is no evidence of proof of exploitation at the moment.
Siemens has issued an update to correct this vulnerability. The security team should refer to the advisory at https://cert-portal.siemens.com/productcert/html/ssa-976324.html for specific patch information and affected software versions.
1. Apply the security update provided by Siemens as soon as possible. 2. Implement the principle of least privilege to minimize the impact of potential exploits. 3. Educate users about the risks of opening untrusted IGS files or visiting malicious web pages. 4. Consider implementing application whitelisting to prevent unauthorized executables from running. 5. Monitor systems for suspicious activities, especially those related to the IGES_2022_2 executable. 6. If immediate patching is not possible, consider isolating affected systems or restricting access to them.
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Feedly found the first article mentioning CVE-2024-32062. See article
Feedly estimated the CVSS score as HIGH
NVD published the first details for CVE-2024-32062
A CVSS base score of 7.8 has been assigned.
EPSS Score was set to: 0.04% (Percentile: 8.5%)