CVE-2024-47195
📋 TL;DR
This vulnerability allows authenticated local attackers to execute arbitrary code with elevated privileges by placing a malicious executable in a directory where gdb.exe is launched. It affects ModelSim and Questa simulation software users who run gdb.exe from user-writable directories with administrative privileges.
💻 Affected Systems
- ModelSim
- Questa
📦 What is this software?
Modelsim by Siemens
Questa by Siemens
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise through privilege escalation to SYSTEM/root level, enabling complete control over the affected system.
Likely Case
Local privilege escalation allowing attackers to gain administrative rights on the workstation where vulnerable software is installed.
If Mitigated
No impact if gdb.exe is never launched from user-writable directories or if proper directory permissions are enforced.
🎯 Exploit Status
Exploitation requires local authenticated access and ability to place malicious executable in target directory before gdb.exe is launched.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: V2024.3
Vendor Advisory: https://cert-portal.siemens.com/productcert/html/ssa-426509.html
Restart Required: Yes
Instructions:
1. Download ModelSim/Questa V2024.3 or later from Siemens support portal. 2. Install the update following vendor instructions. 3. Restart affected systems.
🔧 Temporary Workarounds
Restrict directory permissions
allEnsure gdb.exe is only launched from directories with restricted write permissions
Windows: icacls "C:\Program Files\ModelSim" /deny Users:(W)
Linux: chmod 755 /opt/modelsim && chown root:root /opt/modelsim
Use absolute paths
allAlways launch gdb.exe using full absolute paths rather than relative paths
Windows: "C:\Program Files\ModelSim\win64\gdb.exe"
Linux: "/opt/modelsim/linux/gdb"
🧯 If You Can't Patch
- Ensure administrators never launch gdb.exe from user-writable directories
- Implement strict directory permission controls on all systems running affected software
🔍 How to Verify
Check if Vulnerable:
Check if ModelSim/Questa version is earlier than V2024.3 and if gdb.exe is launched from directories with user write permissions.Check Version:
Windows: modelsim -version, Linux: vsim -versionVerify Fix Applied:
Confirm installation of V2024.3 or later and test that gdb.exe no longer loads executables from current working directory.📡 Detection & Monitoring
Log Indicators:
- Process creation events for gdb.exe from unusual directories
- Failed privilege escalation attempts
Network Indicators:
- None - this is a local attack
SIEM Query:
Process creation where (process_name contains 'gdb.exe' OR process_name contains 'gdb') AND (parent_process contains 'modelsim' OR parent_process contains 'vsim')