Skip to main content

CVE-2023-6078: CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in Dassault Systèmes BIOVIA Materials Studio products

High
VulnerabilityCVE-2023-6078cvecve-2023-6078cwe-78
Published: Thu Feb 01 2024 (02/01/2024, 13:33:48 UTC)
Source: CVE Database V5
Vendor/Project: Dassault Systèmes
Product: BIOVIA Materials Studio products

Description

An OS Command Injection vulnerability exists in BIOVIA Materials Studio products from Release BIOVIA 2021 through Release BIOVIA 2023. Upload of a specially crafted perl script can lead to arbitrary command execution.

AI-Powered Analysis

AILast updated: 07/10/2025, 23:16:53 UTC

Technical Analysis

CVE-2023-6078 is a high-severity OS Command Injection vulnerability (CWE-78) affecting Dassault Systèmes BIOVIA Materials Studio products from the 2021 Golden release through the 2023 Golden release. The vulnerability arises due to improper neutralization of special elements in user-supplied input, specifically via the upload of a specially crafted Perl script. This flaw allows an attacker with at least limited privileges (PR:L) to execute arbitrary operating system commands on the affected system without requiring user interaction (UI:N). The vulnerability has a CVSS v3.1 base score of 8.8, reflecting its critical impact on confidentiality, integrity, and availability. Exploitation can lead to full system compromise, including unauthorized data access, modification, or destruction, and potential lateral movement within the network. The attack vector is network-based (AV:N), meaning the attacker can exploit this remotely, provided they have the necessary privileges. The scope remains unchanged (S:U), indicating the impact is confined to the vulnerable component. No known exploits are currently reported in the wild, but the presence of this vulnerability in widely used scientific and materials modeling software presents a significant risk, especially in research and industrial environments where BIOVIA Materials Studio is deployed. The lack of available patches at the time of publication necessitates immediate mitigation efforts to reduce exposure.

Potential Impact

For European organizations, particularly those involved in materials science, chemical research, pharmaceuticals, and advanced manufacturing sectors, this vulnerability poses a substantial risk. BIOVIA Materials Studio is a specialized software suite used extensively in R&D environments to simulate and analyze material properties. Successful exploitation could lead to unauthorized access to sensitive intellectual property, research data, and proprietary formulas, potentially resulting in significant financial losses and reputational damage. Moreover, attackers could leverage this vulnerability to establish persistent footholds within corporate networks, facilitating espionage or sabotage. Given the high confidentiality and integrity requirements of research data in Europe, exploitation could also lead to regulatory compliance issues under frameworks such as GDPR if personal or sensitive data is involved. The availability impact could disrupt critical research workflows, delaying projects and innovation. The remote exploitability combined with the requirement for limited privileges means insider threats or compromised user accounts could be leveraged to launch attacks, increasing the threat surface.

Mitigation Recommendations

1. Immediate Restriction of Access: Limit access to BIOVIA Materials Studio installations to trusted users only, enforcing strict role-based access controls to minimize the number of users with privileges capable of uploading scripts. 2. Network Segmentation: Isolate systems running BIOVIA Materials Studio from broader enterprise networks to contain potential compromises and prevent lateral movement. 3. Input Validation and Monitoring: Implement application-layer controls to detect and block uploads of suspicious or unauthorized script files, especially Perl scripts. 4. Privilege Management: Review and minimize user privileges on affected systems to the least necessary, reducing the risk of exploitation. 5. Incident Detection: Deploy host-based and network-based intrusion detection systems tuned to identify unusual command execution patterns or script uploads related to BIOVIA. 6. Vendor Coordination: Engage with Dassault Systèmes for timely updates and patches; monitor official channels for patch releases and apply them promptly once available. 7. Temporary Workarounds: If feasible, disable or restrict the script upload functionality until a patch is applied. 8. Security Awareness: Train users on the risks of uploading untrusted scripts and the importance of following security policies. These measures, combined, will reduce the attack surface and mitigate the risk until a vendor patch is released.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
3DS
Date Reserved
2023-11-10T10:25:11.979Z
Cvss Version
3.1
State
PUBLISHED

Threat ID: 68487f5a1b0bd07c3938ab7d

Added to database: 6/10/2025, 6:54:18 PM

Last enriched: 7/10/2025, 11:16:53 PM

Last updated: 8/4/2025, 2:30:28 AM

Views: 14

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats