CVE-2021-27387
📋 TL;DR
This vulnerability in Simcenter Femap allows attackers to execute arbitrary code by exploiting improper validation when parsing FEMAP files. Users of Simcenter Femap 2020.2 and 2021.1 before specific maintenance pack versions are affected. Successful exploitation could lead to complete system compromise.
💻 Affected Systems
- Simcenter Femap
- Simcenter Femap 2020.2
- Simcenter Femap 2021.1
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with attacker gaining the same privileges as the Femap process, potentially leading to data theft, system manipulation, or lateral movement.
Likely Case
Local code execution leading to privilege escalation, data exfiltration, or installation of persistent malware.
If Mitigated
Limited impact with proper network segmentation and least privilege principles, potentially only affecting the Femap application.
🎯 Exploit Status
Exploitation requires user interaction to open a malicious FEMAP file. No public exploit code is available, but the vulnerability is well-documented.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Simcenter Femap 2020.2 Maintenance Pack 3 (V2020.2.MP3) or later, Simcenter Femap 2021.1 Maintenance Pack 3 (V2021.1.MP3) or later
Vendor Advisory: https://cert-portal.siemens.com/productcert/pdf/ssa-133038.pdf
Restart Required: Yes
Instructions:
1. Download the appropriate maintenance pack from Siemens support portal. 2. Close all Femap instances. 3. Run the maintenance pack installer. 4. Restart the system. 5. Verify the installation by checking the version.
🔧 Temporary Workarounds
Restrict FEMAP file handling
windowsImplement application whitelisting to restrict execution of femap.exe or implement file type restrictions to prevent opening untrusted FEMAP files.
User awareness training
allTrain users to only open FEMAP files from trusted sources and to be cautious of unexpected file attachments.
🧯 If You Can't Patch
- Implement strict access controls to limit who can run Femap and access FEMAP files.
- Use application sandboxing or virtualization to isolate Femap from critical systems and data.
🔍 How to Verify
Check if Vulnerable:
Check Femap version via Help > About in the application or examine the executable properties.Check Version:
Not applicable - check via GUI in Help > About menuVerify Fix Applied:
Verify the version shows V2020.2.MP3 or later for 2020.2, or V2021.1.MP3 or later for 2021.1.📡 Detection & Monitoring
Log Indicators:
- Unexpected crashes of femap.exe
- Unusual process creation from femap.exe
- Access to suspicious FEMAP files
Network Indicators:
- Outbound connections from femap.exe to unexpected destinations
SIEM Query:
Process creation where parent process contains 'femap.exe' AND (command line contains suspicious patterns OR destination IP is external)