CVE-2024-23804
📋 TL;DR
A stack overflow vulnerability in Tecnomatix Plant Simulation allows attackers to execute arbitrary code by tricking users into opening malicious PSOBJ files. This affects all versions of Plant Simulation V2201 before V2201.0012 and V2302 before V2302.0006. Users who open untrusted simulation files are at risk.
💻 Affected Systems
- Tecnomatix Plant Simulation V2201
- Tecnomatix Plant Simulation V2302
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with attacker gaining the same privileges as the Plant Simulation process, potentially leading to lateral movement, data theft, or ransomware deployment.
Likely Case
Local privilege escalation or malware execution when users open malicious simulation files from untrusted sources.
If Mitigated
Limited impact if file execution is restricted to trusted sources and least privilege principles are followed.
🎯 Exploit Status
Exploitation requires user to open a malicious file. No authentication or special privileges needed to trigger the vulnerability.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: V2201.0012 for V2201, V2302.0006 for V2302
Vendor Advisory: https://cert-portal.siemens.com/productcert/html/ssa-017796.html
Restart Required: Yes
Instructions:
1. Download the appropriate update from Siemens support portal. 2. Close all Plant Simulation instances. 3. Run the installer with administrative privileges. 4. Restart the system if prompted.
🔧 Temporary Workarounds
Restrict PSOBJ file execution
windowsBlock execution of PSOBJ files from untrusted sources using application whitelisting or file extension restrictions.
User awareness training
allTrain users to only open Plant Simulation files from trusted sources and verify file integrity.
🧯 If You Can't Patch
- Implement application control to restrict Plant Simulation to trusted directories only
- Use least privilege accounts for running Plant Simulation and disable unnecessary permissions
🔍 How to Verify
Check if Vulnerable:
Check Plant Simulation version via Help > About menu. If version is V2201 < 0012 or V2302 < 0006, system is vulnerable.Check Version:
Not applicable - check via application GUI Help > About menuVerify Fix Applied:
After patching, verify version shows V2201.0012 or V2302.0006 in Help > About menu.📡 Detection & Monitoring
Log Indicators:
- Unexpected process crashes of Plant Simulation
- Unusual file access patterns to PSOBJ files
Network Indicators:
- Unusual outbound connections from Plant Simulation process
SIEM Query:
Process creation where parent process is Plant Simulation and command line contains suspicious parameters