CVE-2021-46159 – This vulnerability allows remote code execution... (How to Fix)

Q: What is the severity of CVE-2021-46159?

CVE-2021-46159 has a CVSS score of 7.8 (HIGH). This vulnerability allows remote code execution through specially crafted NEU files in Simcenter Femap engineering software. Attackers can exploit an out-of-bounds write vulnerability to execute arbitrary code with the privileges of the current user. Organizations using Simcenter Femap V2020.2 or V2021.1 for engineering analysis are affected.

📋 TL;DR

This vulnerability allows remote code execution through specially crafted NEU files in Simcenter Femap engineering software. Attackers can exploit an out-of-bounds write vulnerability to execute arbitrary code with the privileges of the current user. Organizations using Simcenter Femap V2020.2 or V2021.1 for engineering analysis are affected.

💻 Affected Systems

Products:

Simcenter Femap

Versions: V2020.2 (All versions), V2021.1 (All versions)

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability triggers when parsing specially crafted NEU files, which are native to Femap for engineering data exchange.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing attacker to execute arbitrary code, install malware, pivot to other systems, and potentially disrupt engineering operations.

🟠

Likely Case

Local privilege escalation leading to data theft, system manipulation, or ransomware deployment within the engineering environment.

🟢

If Mitigated

Limited impact through application sandboxing or restricted user privileges, potentially resulting in application crash rather than code execution.

🌐 Internet-Facing: LOW - This requires file parsing, typically not an internet-facing service.

🏢 Internal Only: HIGH - Engineering workstations often process external files and have elevated privileges for analysis tasks.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires user interaction to open a malicious NEU file. No public exploit code is available as of the advisory dates.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Update to V2022.1 or later

Vendor Advisory: https://cert-portal.siemens.com/productcert/pdf/ssa-609880.pdf

Restart Required: Yes

Instructions:

1. Download latest Femap version from Siemens support portal. 2. Uninstall current vulnerable version. 3. Install updated version. 4. Restart system.

🔧 Temporary Workarounds

Restrict NEU file handling

windows

Block or sandbox NEU file processing through application control policies

Windows AppLocker: New-AppLockerPolicy -RuleType Path -Action Deny -Path "*.neu" -User Everyone

User privilege reduction

windows

Run Femap with limited user privileges to reduce impact of successful exploitation

🧯 If You Can't Patch

Implement strict file validation for NEU files before opening in Femap
Isolate engineering workstations from critical network segments and implement network segmentation

🔍 How to Verify

Check if Vulnerable:

Check Femap version via Help > About. Vulnerable if version is exactly 2020.2 or 2021.1.

Check Version:

Not applicable - check via GUI Help > About menu

Verify Fix Applied:

Verify version is 2022.1 or later in Help > About dialog.

📡 Detection & Monitoring

Log Indicators:

Application crashes when opening NEU files
Unexpected process creation from femap.exe

Network Indicators:

Unusual outbound connections from engineering workstations

SIEM Query:

Process Creation where Image ends with 'femap.exe' and CommandLine contains '.neu'

📊 Metadata

CVE ID: CVE-2021-46159

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-787

Published: February 9, 2022

Last Updated: November 21, 2024

🔗 References

https://cert-portal.siemens.com/productcert/pdf/ssa-609880.pdf Vendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-22-314/ Third Party Advisory,VDB Entry
https://cert-portal.siemens.com/productcert/pdf/ssa-609880.pdf Vendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-22-314/ Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-46159, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Simcenter Femap by Siemens

Simcenter Femap by Siemens

Simcenter Femap by Siemens

Simcenter Femap by Siemens

Simcenter Femap by Siemens

Simcenter Femap by Siemens

Simcenter Femap by Siemens

Simcenter Femap by Siemens

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Restrict NEU file handling

User privilege reduction

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities