SSA-979834: Vulnerabilities in Solid EdgeRecently, independent security researchers identified a handful of vulnerabilities in Solid Edge. These vulnerabilities have been resolved in released Maintenance Packs for all supported versions, specifically Solid Edge 2021 MP2 and Solid Edge 2020 MP12. If you are using an older version of Solid Edge 2020 or 2021 it is recommended that you update to one of the latest Maintenance Packs.
What the researchers found is, in theory, someone attacking your company could introduce a virus to a machine and "
fuzz" inputs to Solid Edge commands in order to cause the Solid Edge to crash, potentially exposing a vulnerability through which the attacker could gain access to the machine running Solid Edge and potentially the network to which it's connected. "
Fuzzing" is a technical security term for sending gibberish instead of a valid Solid Edge command string or parameter. There are two ways to do this:
- Send a .exe or .par file via email, the web, or some other external source and convince someone inside your company to open it in Solid Edge. This is known as a phishing attack, or possibly a spear-phishing attack since it would be highly targeted to a person using Solid Edge. As always, Siemens recommends the use of good security practices and not opening a file of unknown content or origin, as well as screening all incoming files for viruses or other malicious content to reduce this risk.
- An internal person (aka, an employee) who does not have access or privileges to certain internal systems or data could also use this approach to gain unauthorized, higher-level control of the machine, and possibly use that to find information or data to which they shouldn't have access. Again, good in-depth-security, including network monitoring and user management, can reduce this risk.
These vulnerabilities have been announced via the US Cybersecurity & Infrastructure Security Agency (
ICSA-21-012-04) notifications as reported by
Siemens Corporate CERT.
To avoid exposing these security vulnerabilities when using versions prior to Solid Edge 2021 MP2 and Solid Edge 2020 MP12 only trusted third party Solid Edge files should be opened.
The worst-case outcome in this scenario is the same as the worst case for any phishing attack. Companies are vulnerable to ransomware, loss of IP, loss of personal information, or general exposure of data on their system or network.
SFB-SOLID_EDGE-8524576
Product Information: