CVE-2023-24565 in Solid Edge SE2022
Summary
by MITRE • 02/14/2023
A vulnerability has been identified in Solid Edge SE2022 (All versions < V2210Update12), Solid Edge SE2022 (All versions), Solid Edge SE2023 (All versions < V2023Update2). The affected application contains an out of bounds read past the end of an allocated buffer while parsing a specially crafted STL file. This vulnerability could allow an attacker to disclose sensitive information. (ZDI-CAN-19428)
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 03/12/2023
This vulnerability resides in the Solid Edge CAD software suite, specifically affecting versions prior to the mentioned updates. The issue manifests as an out-of-bounds read condition that occurs during the parsing of specially crafted STL files, which are commonly used for 3D printing and computer-aided design applications. The flaw represents a classic buffer over-read vulnerability where the application fails to properly validate the boundaries of memory allocations when processing file data, leading to unauthorized memory access patterns that can expose sensitive information stored in adjacent memory locations. This type of vulnerability falls under the CWE-125 category of out-of-bounds read conditions, which are particularly dangerous as they can potentially reveal confidential data such as encryption keys, passwords, or other system information.
The operational impact of this vulnerability extends beyond simple information disclosure, as it creates potential attack vectors for more sophisticated exploits. An attacker who can successfully craft a malicious STL file could potentially leverage this out-of-bounds read to extract sensitive data from the application's memory space, which might include user credentials, configuration details, or proprietary design information. The vulnerability's presence in both Solid Edge SE2022 and SE2023 versions indicates a widespread issue affecting multiple product lines and suggests that the underlying parsing logic contains fundamental flaws in buffer boundary checking. From an attack perspective, this vulnerability aligns with ATT&CK technique T1059.007 for execution through file and content manipulation, where adversaries can exploit file parsing routines to achieve unauthorized access or information extraction.
The technical implementation of this vulnerability demonstrates poor input validation practices within the STL file parser component of Solid Edge. When processing the specially crafted file, the application does not adequately verify that data reads remain within the allocated buffer boundaries, allowing memory access beyond intended limits. This type of error commonly occurs in legacy code or when developers fail to implement proper bounds checking mechanisms, particularly in file format parsers that must handle various input formats with different data structures. The vulnerability's exploitation requires the victim to open or process a malicious STL file, making it a user interaction-based attack vector that aligns with ATT&CK technique T1204.002 for user execution through social engineering or malicious file delivery. Organizations using Solid Edge software should prioritize applying the vendor-provided updates to address this vulnerability, as the out-of-bounds read condition represents a significant security risk that could be exploited to compromise sensitive design data or system information. The vulnerability also highlights the importance of implementing robust input validation and memory safety checks in applications that process external file formats, particularly in enterprise environments where CAD systems often contain confidential intellectual property and sensitive design information.