PatchSiren cyber security CVE debrief
CVE-2024-34772 Siemens CVE debrief
CVE-2024-34772 is a high-severity vulnerability in Siemens Solid Edge, a CAD software suite used for product design and engineering. The flaw involves an out-of-bounds read past the end of an allocated structure when parsing specially crafted PAR (part) files. This memory safety issue could allow an attacker to execute arbitrary code within the context of the current process. The vulnerability was disclosed on May 14, 2024, through coordinated advisories from CISA and Siemens. The attack vector requires local access with user interaction—an attacker must convince a victim to open a malicious PAR file. While the CVSS base score of 7.8 reflects high impact on confidentiality, integrity, and availability, the local attack vector and required user interaction reduce the ease of exploitation. Siemens has released a vendor fix in V224.0 Update 4, and CISA recommends defensive measures including avoiding untrusted PAR files.
- Vendor
- Siemens
- Product
- Solid Edge
- CVSS
- HIGH 7.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-05-14
- Original CVE updated
- 2024-05-14
- Advisory published
- 2024-05-14
- Advisory updated
- 2024-05-14
Who should care
Engineering organizations using Siemens Solid Edge for product design and manufacturing; CAD administrators managing Solid Edge deployments; industrial control system (ICS/OT) security teams protecting engineering workstations; organizations with supply chain file exchange workflows involving PAR files; security teams responsible for endpoint protection in engineering environments
Technical summary
The vulnerability exists in the PAR file parsing component of Siemens Solid Edge. When processing a malformed or specially crafted PAR file, the application reads beyond the bounds of an allocated memory structure. This out-of-bounds read can corrupt memory state and potentially enable arbitrary code execution within the context of the Solid Edge process. The flaw is triggered during file open operations, requiring attacker-supplied file content and victim interaction. The CVSS 3.1 vector (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) indicates local attack vector, low attack complexity, no privileges required, user interaction required, unchanged scope, and high impact across confidentiality, integrity, and availability. Exploitation proof-of-concept is noted as present (E:P) with official remediation available (RL:O).
Defensive priority
HIGH
Recommended defensive actions
- Apply Siemens Solid Edge V224.0 Update 4 or later to remediate this vulnerability
- Implement user awareness training to prevent opening of untrusted PAR files from unknown sources
- Consider application whitelisting and endpoint protection to detect anomalous Solid Edge process behavior
- Review and restrict file transfer mechanisms that could introduce malicious PAR files into engineering environments
- Monitor for suspicious Solid Edge crashes or unexpected process terminations that may indicate exploitation attempts
Evidence notes
Vulnerability disclosed via CISA ICS advisory ICSA-24-137-09 and Siemens security advisory SSA-589937. CVSS 3.1 vector confirms local attack vector with user interaction required. Vendor fix available in V224.0 Update 4.
Official resources
-
CVE-2024-34772 CVE record
CVE.org
-
CVE-2024-34772 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2024-05-14