PatchSiren cyber security CVE debrief
CVE-2024-33654 Siemens CVE debrief
CVE-2024-33654 is a high-severity vulnerability in Siemens Simcenter Femap, published on 2024-07-09. The vulnerability involves an out-of-bounds read past the end of an allocated structure when parsing specially crafted BMP files, which could allow an attacker to execute code in the context of the current process. The CVSS 3.1 score is 7.8 (HIGH), with a vector of AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, indicating local attack vector, low attack complexity, no privileges required, but user interaction required, with high impact on confidentiality, integrity, and availability. Siemens has released a vendor fix: users should update to V2406 or later version. Additional mitigations include not opening untrusted BMP files or untrusted IGS, BDF, or BMP files in the affected applications. This vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.
- Vendor
- Siemens
- Product
- Simcenter Femap
- CVSS
- HIGH 7.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-07-09
- Original CVE updated
- 2024-07-09
- Advisory published
- 2024-07-09
- Advisory updated
- 2024-07-09
Who should care
Organizations using Siemens Simcenter Femap for engineering simulation and analysis, particularly those in industrial, manufacturing, aerospace, and automotive sectors where Femap is commonly deployed. System administrators responsible for CAD/CAE software security and engineers who regularly import external geometry files should prioritize this update.
Technical summary
The vulnerability exists in the BMP file parsing functionality of Siemens Simcenter Femap. When processing specially crafted BMP files, the application reads beyond the bounds of an allocated memory structure. This out-of-bounds read can be exploited to achieve arbitrary code execution in the context of the current process. The attack requires local access and user interaction (opening a malicious file), but no privileges are required. The vulnerability affects confidentiality, integrity, and availability with high impact.
Defensive priority
HIGH
Recommended defensive actions
- Update Siemens Simcenter Femap to V2406 or later version to address the out-of-bounds read vulnerability in BMP file parsing
- Avoid opening untrusted BMP files in Simcenter Femap until patching is complete
- Avoid opening untrusted IGS, BDF, or BMP files from untrusted sources in Simcenter Femap
- Review and apply CISA ICS recommended practices for defense-in-depth strategies
- Monitor Siemens ProductCERT security advisories for additional updates or patches
Evidence notes
Vulnerability details sourced from CISA CSAF advisory ICSA-24-193-04 and Siemens security advisory SSA-064222. CVSS vector and remediation information confirmed through official Siemens and CISA sources.
Official resources
-
CVE-2024-33654 CVE record
CVE.org
-
CVE-2024-33654 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2024-07-09