Full Report
Questa and ModelSim (incl. OEM Editions) are affected by multiple vulnerabilities that could allow a local attacker to inject arbitrary code and escalate privileges. Siemens has released new versions for the affected products and recommends to update to the latest versions.
Analysis Summary
# Vulnerability: Multiple Local Code Execution Vulnerabilities in Questa and ModelSim
## CVE Details
* **CVE ID:**
* **CVE-2024-47194** (DLL Hijacking in `vish2.exe`)
* **CVE-2024-47195** (Binary Hijacking in `gdb.exe`)
* **CVE-2024-47196** (Tcl Script Injection in `vsimk.exe`)
* **CVSS Score:**
* **v3.1:** 6.7 (Medium)
* **v4.0:** 5.4 (Medium)
* **CWE:** CWE-427 (Uncontrolled Search Path Element)
## Affected Systems
* **Products:**
* Siemens Questa (including OEM Editions)
* Siemens ModelSim (including OEM Editions)
* **Versions:**
* **CVE-2024-47194 & CVE-2024-47195:** All versions prior to **V2024.3**.
* **CVE-2024-47196:** All versions prior to **V2025.2**.
* **Configurations:** Systems where administrators or high-privilege processes execute the affected binaries from user-writable directories.
## Vulnerability Description
Three distinct components of the Questa and ModelSim suites are vulnerable to "Uncontrolled Search Path Element" (CWE-427) flaws.
* **CVE-2024-47194:** `vish2.exe` attempts to load a DLL from the current working directory.
* **CVE-2024-47195:** `gdb.exe` attempts to load a specific executable file from the current working directory.
* **CVE-2024-47196:** `vsimk.exe` attempts to load a Tcl script file from the current working directory.
If an attacker places a malicious file (DLL, EXE, or TCL) in a directory and tricks a higher-privileged user into launching the corresponding application from that location, the application will execute the malicious code with the privileges of the launching user.
## Exploitation
* **Status:** Not exploited (No reports of active exploitation in the wild or public PoC provided in the advisory).
* **Complexity:** Low (for CVSS 4.0 assessment) / High (for CVSS 3.1, requiring user interaction and specific environment conditions).
* **Attack Vector:** Local (Requires local access to the file system to place malicious files).
## Impact
* **Confidentiality:** High (Full access to data accessible by the compromised process).
* **Integrity:** High (Full ability to modify system files or application data).
* **Availability:** High (Ability to crash the system or delete critical files).
* **Note:** Successful exploitation leads to **Privilege Escalation** if the victim is an administrator.
## Remediation
### Patches
Siemens recommends updating to the following versions:
* **For CVE-2024-47194 and CVE-2024-47195:** Update to **V2024.3** or later.
* **For CVE-2024-47196:** Update to **V2025.2** or later.
### Workarounds
* **Avoid Working in Public/User-Writable Folders:** Do not launch `vish2.exe`, `gdb.exe`, or `vsimk.exe` from directories where non-privileged users have "Write" permissions.
* **Principle of Least Privilege:** Avoid running simulation tools with Administrator or elevated privileges unless strictly necessary.
* **Industrial Security Guidelines:** Follow Siemens' operational guidelines for industrial security to protect the IT environment.
## Detection
* **Indicators of Compromise:**
* Unusual or unauthorized DLL, EXE, or TCL files appearing in project directories or current working directories of simulation tasks.
* Unexpected child processes spawned by `vish2.exe`, `gdb.exe`, or `vsimk.exe`.
* **Detection Methods:** Monitor file system integrity for suspicious additions to application folders and audit process execution logs for high-privilege executions originating from user-controlled paths.
## References
* **Siemens Security Advisory:** hxxps://cert-portal.siemens[.]com/productcert/html/ssa-426509.html
* **ModelSim Support:** hxxps://support.sw.siemens[.]com/product/852852093/
* **Questa Support:** hxxps://support.sw.siemens[.]com/product/852852103/
* **Operational Guidelines:** hxxps://www.siemens[.]com/cert/operational-guidelines-industrial-security