CVE-2020-28384
📋 TL;DR
This vulnerability in Solid Edge CAD software allows attackers to execute arbitrary code by exploiting a stack-based buffer overflow when parsing malicious PAR files. It affects all versions of Solid Edge SE2020 before MP12 and Solid Edge SE2021 before MP2. Successful exploitation could lead to complete system compromise.
💻 Affected Systems
- Solid Edge SE2020
- Solid Edge SE2021
📦 What is this software?
Solid Edge by Siemens
Solid Edge by Siemens
Solid Edge by Siemens
Solid Edge by Siemens
Solid Edge by Siemens
Solid Edge by Siemens
Solid Edge by Siemens
Solid Edge by Siemens
Solid Edge by Siemens
Solid Edge by Siemens
Solid Edge by Siemens
Solid Edge by Siemens
Solid Edge by Siemens
Solid Edge by Siemens
Solid Edge by Siemens
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution with SYSTEM/administrator privileges leading to complete system takeover, data theft, and lateral movement within the network.
Likely Case
Local privilege escalation or remote code execution when users open malicious PAR files, potentially leading to malware installation or data exfiltration.
If Mitigated
Limited impact with proper application whitelisting, file type restrictions, and user awareness training preventing malicious file execution.
🎯 Exploit Status
Exploitation requires user interaction to open malicious PAR files. Multiple advisories suggest active research interest.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Solid Edge SE2020MP12 or later, Solid Edge SE2021MP2 or later
Vendor Advisory: https://cert-portal.siemens.com/productcert/pdf/ssa-979834.pdf
Restart Required: Yes
Instructions:
1. Download latest Solid Edge maintenance pack from Siemens support portal. 2. Close all Solid Edge applications. 3. Run the installer with administrative privileges. 4. Restart system after installation completes.
🔧 Temporary Workarounds
PAR File Blocking
allBlock PAR files at email gateways and network perimeters to prevent delivery to users.
Application Control
windowsImplement application whitelisting to prevent unauthorized Solid Edge execution.
🧯 If You Can't Patch
- Implement strict file type restrictions to block PAR files at network boundaries
- Train users to never open PAR files from untrusted sources and disable automatic file associations
🔍 How to Verify
Check if Vulnerable:
Check Solid Edge version in Help > About. If version is SE2020 before MP12 or SE2021 before MP2, system is vulnerable.Check Version:
Not applicable - check via Solid Edge GUI Help > About menuVerify Fix Applied:
Verify version shows SE2020MP12 or later, or SE2021MP2 or later in Help > About.📡 Detection & Monitoring
Log Indicators:
- Solid Edge crash logs with memory access violations
- Unexpected PAR file processing events
- Process creation from Solid Edge with unusual parameters
Network Indicators:
- PAR file downloads from untrusted sources
- Outbound connections from Solid Edge process to suspicious IPs
SIEM Query:
Process: 'sedge.exe' AND (FileExtension: '.par' OR CommandLine: '*par*')🔗 References
- https://cert-portal.siemens.com/productcert/pdf/ssa-979834.pdf
- https://us-cert.cisa.gov/ics/advisories/icsa-21-012-04
- https://www.zerodayinitiative.com/advisories/ZDI-21-055/
- https://www.zerodayinitiative.com/advisories/ZDI-21-076/
- https://cert-portal.siemens.com/productcert/pdf/ssa-979834.pdf
- https://us-cert.cisa.gov/ics/advisories/icsa-21-012-04
- https://www.zerodayinitiative.com/advisories/ZDI-21-055/
- https://www.zerodayinitiative.com/advisories/ZDI-21-076/
