Siemens JT2Go and Teamcenter Visualization (Update B)

Plan PatchCVSS 7.8ICS-CERT ICSA-21-012-03Jan 12, 2021

Siemens

Attack path

Attack VectorLocal

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

Siemens JT2Go and Teamcenter Visualization (all versions before 13.1.0) contain multiple memory corruption vulnerabilities in file parsing logic (CWE-843 XML denial-of-service, CWE-787 out-of-bounds write, CWE-122/121 buffer overflows, CWE-125 out-of-bounds read). These vulnerabilities allow arbitrary code execution when a user opens a malicious file. Versions 13.1.0 and later are only affected by a subset of CVEs (CVE-2020-26989, CVE-2020-26990, CVE-2020-26991). No complete patch is available.

What this means

What could happen

An attacker with local access to a machine running JT2Go or Teamcenter Visualization could execute arbitrary code and gain complete control of that workstation, potentially compromising engineering files and gaining access to the broader plant network.

Who's at risk

This affects engineering teams and CAD operators at any water authority, electric utility, or industrial facility that uses Siemens JT2Go or Teamcenter Visualization for viewing and managing design files. These are desktop tools used by engineers on workstations to review process flow diagrams, piping layouts, electrical schematics, and other design documentation.

How it could be exploited

An attacker would need to trick a user into opening a malicious file (likely a crafted JT or related CAD file) in JT2Go or Teamcenter Visualization. The vulnerable parsing logic could overflow memory or mishandle XML data, allowing the attacker to run code with the same privileges as the application user.

Prerequisites

Local file access or ability to deliver a malicious file to a user
User interaction required - victim must open a crafted file in the vulnerable application
Application must be installed and running on an engineering workstation

Local exploitation only (not remotely exploitable)User interaction requiredNo patch available for most versionsAffects engineering workstations that may have access to sensitive plant design dataMemory corruption vulnerabilities (buffer overflow, out-of-bounds access)

Exploitability

Some exploitation risk — EPSS score 4.1%

Affected products (6)

2 with fix4 EOL

ProductAffected VersionsFix Status

JT2Go< V13.1.013.1.0

Teamcenter Visualization< V13.1.013.1.0

JT2Go: All< 13.1.0No fix (EOL)

Teamcenter Visualization: All< 13.1.0No fix (EOL)

JT2Go:13.1.0 (Only affected by CVE-2020-26989 CVE-2020-26990 CVE-2020-26991)No fix (EOL)

Teamcenter Visualization:13.1.0 (Only affected by CVE-2020-26989 CVE-2020-26990 CVE-2020-26991)No fix (EOL)

Remediation & Mitigation

0/6

Do now

0/2

JT2Go

WORKAROUNDRestrict file downloads and file-sharing capabilities on engineering workstations; require users to validate file sources before opening in JT2Go or Teamcenter Visualization

All products

WORKAROUNDDisable automatic file preview or opening in these applications if available; require manual user action to execute files

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

JT2Go

HOTFIXUpgrade JT2Go to version 13.1.0 or later (if available for your specific CVE set) or migrate to a patched alternative CAD visualization tool

Teamcenter Visualization

HOTFIXUpgrade Teamcenter Visualization to version 13.1.0 or later (if available for your specific CVE set) or migrate to a patched alternative

Mitigations - no patch available

0/2

The following products have reached End of Life with no planned fix: JT2Go: All, Teamcenter Visualization: All, JT2Go:, Teamcenter Visualization:. Apply the following compensating controls:

HARDENINGSegment engineering workstations from the production control network using firewalls and VLANs to limit lateral movement if a workstation is compromised

HARDENINGImplement endpoint detection and response (EDR) or antivirus on engineering workstations to detect malicious code execution

CVEs (14)

CVE-2020-26980 CVE-2020-26981 CVE-2020-26982 CVE-2020-26983 CVE-2020-26984 CVE-2020-26985 CVE-2020-26986 CVE-2020-26987 CVE-2020-26988 CVE-2020-26992 CVE-2020-26993 CVE-2020-26994 CVE-2020-26995 CVE-2020-26996

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/7e9e2527-0a8e-4229-a64e-d04f1e5149a6

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.