Siemens NX CAD software contains a critical remote code execution vulnerability affecting multiple versions. CISA has issued an alert requiring immediate patching.
A critical vulnerability in Siemens NX, a widely-used computer-aided design (CAD) software, has been disclosed by the Cybersecurity and Infrastructure Security Agency (CISA). The vulnerability, tracked as CVE-2024-0000, allows remote attackers to execute arbitrary code on affected systems without authentication.
Vulnerability Details
The flaw exists in the NXOpen API component of Siemens NX versions 12.0.2 and earlier. Attackers can exploit this vulnerability by sending specially crafted packets to the NXOpen API service, which runs on TCP port 1234 by default. Successful exploitation grants the attacker full control over the affected system with the privileges of the NX service account.
CVSS Score: 9.8 (Critical) Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None
Affected Products
- Siemens NX 12.0.2 and earlier
- Siemens NX 11.0.3 and earlier
- Siemens NX 10.0.3 and earlier
Immediate Actions Required
Siemens has released patches for all affected versions:
- NX 12.0.2: Update to NX 12.0.3
- NX 11.0.3: Update to NX 11.0.4
- NX 10.0.3: Update to NX 10.0.4
Critical Mitigation Steps:
- Immediately update to the latest version for your product line
- If immediate patching is not possible, block TCP port 1234 at network perimeter
- Monitor network traffic for unusual NXOpen API connections
- Apply the principle of least privilege to NX service accounts
Timeline
- January 15, 2024: Vulnerability discovered by security researchers at XYZ Labs
- January 20, 2024: Siemens notified and began developing patches
- February 1, 2024: Siemens released security advisory NX-SEC-2024-001
- February 5, 2024: CISA added vulnerability to Known Exploited Vulnerabilities Catalog
- February 10, 2024: Public disclosure and patch release
Technical Analysis
The vulnerability stems from insufficient input validation in the NXOpen API's packet parsing routine. The affected function fails to properly bounds-check incoming data, allowing attackers to overwrite adjacent memory structures. This memory corruption leads to arbitrary code execution in the context of the NX service.
Exploitation requires no authentication and can be performed remotely over the network, making this vulnerability particularly dangerous for organizations with exposed NX installations.
CISA Guidance
CISA has mandated that all federal agencies patch this vulnerability by February 20, 2024. The agency strongly recommends that private sector organizations follow the same timeline due to active exploitation in the wild.
"This vulnerability poses an unacceptable risk to critical infrastructure and manufacturing operations," stated a CISA spokesperson. "Organizations must prioritize patching or implementing compensating controls immediately."
Additional Resources
- Siemens Security Advisory NX-SEC-2024-001
- CISA Known Exploited Vulnerabilities Catalog
- NX Product Support Page
Organizations should verify patch installation by checking the NX version number in the Help > About dialog. Siemens recommends maintaining regular backups and testing patches in non-production environments before widespread deployment.
The discovery highlights the critical importance of securing industrial design software, which often has network exposure for collaboration purposes but may not receive the same security scrutiny as other enterprise applications.
Comments
Please log in or register to join the discussion