CVE-2022-39157 - Out-of-Bounds Read in Parasolid Leads to Potential Code Execution

Parasolid is the geometric modeling kernel used worldwide by CAD/CAM/CAE applications like Siemens NX, SolidWorks, Onshape, and others. On August 2022, the Zero Day Initiative (ZDI) announced a critical vulnerability—tracked as CVE-2022-39157 (ZDI-CAN-17745)—affecting several Parasolid versions. This post will explain the vulnerability in plain language, walk through a simplified exploit scenario, and help you understand the impact and defenses.

What Is Parasolid?

Parasolid is a powerful toolkit for handling 3D geometry. Most users never interact with Parasolid itself, but the reliability of 3D file imports and exports in familiar applications like NX or SolidWorks depends on this kernel.

Parasolid reads and writes B-Rep 3D models in its own formats, commonly .x_t and .x_b files.

Summary of the Vulnerability

- Vulnerability Type: Out-of-bounds read (with potential out-of-bounds write/execution)

Technical Details: How the Flaw Works

When Parasolid imports an X_T file, it parses binary data structures to reconstruct 3D geometry. There's a bug in how certain table or structure boundaries are handled—when a specially crafted X_T file is parsed, Parasolid reads *past the end* of an allocated buffer ("out-of-bounds").

Depending on how the data on the heap is arranged, this out-of-bounds read can lead to a heap information leak (helping further attacks), to a crash, or potentially to arbitrary code execution if combined with other heap spray tricks.

Which Code Is Affected?

The vulnerable function is not open-source, but reverse engineering reveals the pattern. When parsing object data, the code trusts a field in the file that controls a "count" or "length" value. If this length is larger than the actual allocation, a read-past-bound occurs.

A simplified pseudo-code example

// Simplified code-flow inside Parasolid's X_T parser
void parse_xt_object(FILE *x_t_file) {
    uint32_t count;
    structure_t *structures;

    fread(&count, sizeof(count), 1, x_t_file);
    structures = malloc(count * sizeof(structure_t));
    fread(structures, sizeof(structure_t), count, x_t_file);

    for (int i = ; i <= count; i++) { // <-- Off-by-one bug here!
        process_structure(structures[i]); // i == count is out-of-bounds!
    }

    free(structures);
}

The vulnerable loop assumes untrusted input is always correct. If an attacker crafts a file so count is large (or the underlying allocation is smaller), this leads to reading outside valid memory.

> Note: In the real application, the bug is subtler and hidden in complex parser routines, but this demonstrates the principle.

Exploitation: How Would an Attacker Abuse CVE-2022-39157?

1. Craft a Malicious X_T File: The attacker creates a .x_t file with deliberately incorrect table lengths or offsets, causing the parser to read memory past the end of an array.

2. Delivery: The file is sent to a victim (via email, shared folder, support ticket, etc.). If the victim opens it with any affected Parasolid-based software, the bug can trigger.

3. Gain Code Execution: By cleverly arranging the heap using file content or combining with other vulnerabilities (heap spray, use-after-free, or leveraging data from the read), the attacker may be able to execute arbitrary code.

This attack takes advantage of the file parsing trust boundary, which is one of the most dangerous in modern software.

Proof-of-Concept Example

The actual malicious X_T file will have complex binary structures, but here’s a simplified approach to "fuzz" for the bug in a vulnerable version:

# Make a corrupt X_T file to trigger the bug
with open("poc.x_t", "wb") as f:
    # X_T header and version fields (fake, for illustration)
    f.write(b'#######100#######\n')
    # Add malformed structure length
    f.write(b'\xFF\xFF\xFF\xFF')  # Overly large count (255 on 32 bits)
    # Add insufficient data to cause out-of-bounds read
    f.write(b'\x00' * 10) # Not enough for 255 entries!

print("Malicious X_T file written as 'poc.x_t'")

If opened in a vulnerable app, this may cause a crash or abnormal behavior.

Result: Exploitable for code execution, depending on memory layout and app configuration.

Applications using Parasolid run with user privileges; code execution in this context can allow access to sensitive IP, files, or further lateral movement.

Siemens has released patches for all supported versions

- Siemens Advisory SSA-956412
- Parasolid Releases

Update Parasolid to the latest available build for your version. If you’re unsure, ask your CAD vendor—they may bundle this update under their own patch or security update.

Recommendations

- Update Now: Ensure you’re running a patched version as above, either in Parasolid or your CAD application.

Educate Users: Warn users to never open X_T files from untrusted sources.

- Segmentation: Limit file-parsing routines to locked-down and sandboxed environments, whenever possible.

References

- Siemens SSA-956412 Advisory
- Zero Day Initiative ZDI-22-1121
- NVD CVE-2022-39157

Conclusion

CVE-2022-39157 is a critical flaw that highlights the risks of complex file parsers, even in mature engineering software like Parasolid. If you deal with 3D CAD files—especially from untrusted sources—patch as soon as possible to protect your designers, your intellectual property, and your business.

If you found this helpful, share with your IT and engineering teams. Always keep your software up to date!

Timeline

Published on: 11/08/2022 11:15:00 UTC
Last modified on: 11/08/2022 16:31:00 UTC