CVE-2021-46155
📋 TL;DR
This vulnerability allows remote code execution via a stack-based buffer overflow when parsing NEU files in Simcenter Femap. Attackers can execute arbitrary code with the privileges of the current process. Affects all versions of Simcenter Femap V2020.2 and V2021.1.
💻 Affected Systems
- Simcenter Femap
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with attacker gaining the same privileges as the Femap process, potentially leading to data theft, lateral movement, or persistence.
Likely Case
Local privilege escalation or remote code execution if user opens a malicious NEU file, resulting in system compromise.
If Mitigated
Limited impact if file execution is restricted and proper security controls prevent malicious file execution.
🎯 Exploit Status
Exploitation requires user to open a specially crafted NEU file. Multiple ZDI advisories suggest this is a reliable vulnerability.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Update to V2022.1 or later
Vendor Advisory: https://cert-portal.siemens.com/productcert/pdf/ssa-609880.pdf
Restart Required: Yes
Instructions:
1. Download latest Femap version from Siemens support portal. 2. Install the update following vendor instructions. 3. Restart system to ensure changes take effect.
🔧 Temporary Workarounds
Restrict NEU file execution
windowsBlock execution of NEU files from untrusted sources using application whitelisting or file restrictions.
User awareness training
allTrain users not to open NEU files from unknown or untrusted sources.
🧯 If You Can't Patch
- Implement application whitelisting to restrict which applications can open NEU files
- Use network segmentation to isolate Femap systems from critical infrastructure
🔍 How to Verify
Check if Vulnerable:
Check Femap version via Help > About. If version is V2020.2 or V2021.1, system is vulnerable.Check Version:
In Femap: Help > About menu optionVerify Fix Applied:
Verify Femap version is V2022.1 or later after update installation.📡 Detection & Monitoring
Log Indicators:
- Unexpected process crashes of femap.exe
- Unusual file access patterns to NEU files
Network Indicators:
- Unusual outbound connections from Femap process
SIEM Query:
Process: femap.exe AND (EventID: 1000 OR EventID: 1001) OR FileAccess: *.neu from untrusted sources🔗 References
- https://cert-portal.siemens.com/productcert/pdf/ssa-609880.pdf
- https://www.zerodayinitiative.com/advisories/ZDI-22-305/
- https://www.zerodayinitiative.com/advisories/ZDI-22-306/
- https://www.zerodayinitiative.com/advisories/ZDI-22-307/
- https://www.zerodayinitiative.com/advisories/ZDI-22-308/
- https://cert-portal.siemens.com/productcert/pdf/ssa-609880.pdf
- https://www.zerodayinitiative.com/advisories/ZDI-22-305/
- https://www.zerodayinitiative.com/advisories/ZDI-22-306/
- https://www.zerodayinitiative.com/advisories/ZDI-22-307/
- https://www.zerodayinitiative.com/advisories/ZDI-22-308/
