CVE-2021-46151
📋 TL;DR
This vulnerability allows remote code execution through specially crafted NEU files in Simcenter Femap. An attacker could execute arbitrary code with the privileges of the current user. Affects Simcenter Femap V2020.2 and V2021.1 users.
💻 Affected Systems
- Simcenter Femap
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise via remote code execution leading to data theft, ransomware deployment, or lateral movement within the network.
Likely Case
Local privilege escalation or system compromise when a user opens a malicious NEU file, potentially leading to data exfiltration.
If Mitigated
Limited impact if proper file validation and user privilege restrictions are in place, though file parsing could still crash the application.
🎯 Exploit Status
Exploitation requires user interaction to open a malicious NEU file; no authentication bypass needed but social engineering likely required.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Update to Simcenter Femap V2022.1 or later
Vendor Advisory: https://cert-portal.siemens.com/productcert/pdf/ssa-609880.pdf
Restart Required: Yes
Instructions:
1. Download and install Simcenter Femap V2022.1 or later from Siemens support portal. 2. Uninstall previous vulnerable versions. 3. Restart system after installation.
🔧 Temporary Workarounds
Restrict NEU file handling
windowsBlock or restrict opening of NEU files via application whitelisting or file extension policies.
User privilege reduction
windowsRun Femap with limited user privileges to reduce impact of successful exploitation.
🧯 If You Can't Patch
- Implement application whitelisting to prevent execution of unauthorized binaries
- Educate users to avoid opening NEU files from untrusted sources and implement email filtering for suspicious attachments
🔍 How to Verify
Check if Vulnerable:
Check Femap version via Help > About; if version is V2020.2 or V2021.1, system is vulnerable.Check Version:
Not applicable - check via GUI Help > About menu in FemapVerify Fix Applied:
Verify installed version is V2022.1 or later via Help > About menu.📡 Detection & Monitoring
Log Indicators:
- Application crashes when parsing NEU files
- Unexpected process creation from femap.exe
Network Indicators:
- Unusual outbound connections from Femap process
SIEM Query:
Process Creation where Image contains 'femap.exe' AND ParentImage NOT IN ('explorer.exe', 'cmd.exe')🔗 References
- https://cert-portal.siemens.com/productcert/pdf/ssa-609880.pdf
- https://www.zerodayinitiative.com/advisories/ZDI-22-291/
- https://www.zerodayinitiative.com/advisories/ZDI-22-292/
- https://cert-portal.siemens.com/productcert/pdf/ssa-609880.pdf
- https://www.zerodayinitiative.com/advisories/ZDI-22-291/
- https://www.zerodayinitiative.com/advisories/ZDI-22-292/
