ICSA-21-194-15_Siemens JT2Go and Teamcenter Visualization
Plan Patch7.8ICS-CERT ICSA-21-194-15Jul 13, 2021
Attack VectorLocal
Auth RequiredNone
ComplexityLow
User InteractionRequired
Summary
Multiple memory corruption vulnerabilities exist in Siemens JT2Go and Teamcenter Visualization versions prior to 13.2. These include use-after-free, out-of-bounds read/write, and buffer overflow conditions (CWE-415, CWE-835, CWE-787, CWE-416, CWE-122, CWE-126, CWE-125, CWE-119). The vulnerabilities are triggered during the parsing of specially crafted JT file format documents.
What this means
What could happen
An attacker could crash these applications or execute arbitrary code by sending a malicious JT file to a user. Since these tools are design and visualization applications used by engineering teams, successful exploitation could disrupt design workflows or allow an attacker to compromise engineering workstations that may have network access to control systems.
Who's at risk
This affects engineering and design teams who use Siemens JT2Go or Teamcenter Visualization for 3D CAD viewing and design work. In a water or electric utility environment, this includes design engineering staff who may also have network access to control systems or supervisory workstations. Compromise of an engineering workstation could provide an attacker with a foothold into the corporate network or, if improperly segmented, into operational networks.
How it could be exploited
An attacker would create a malicious JT file (a 3D visualization format used in engineering) that triggers memory corruption when opened in JT2Go or Teamcenter Visualization. The attacker sends this file to an engineer via email or file sharing. When the engineer opens the file without suspecting it is malicious, the vulnerability is triggered, potentially allowing code execution on the engineering workstation.
Prerequisites
- User interaction required—engineer or designer must open a malicious JT file
- JT2Go or Teamcenter Visualization must be installed on the target workstation
- Attacker must be able to deliver the malicious file (via email, USB, or network share)
User interaction requiredNo authentication needed to open a malicious fileLow complexity attackNo patch available yet (advisory released before vendor fix)Default file association allows automatic opening of JT files
Exploitability
Low exploit probability (EPSS 0.5%)
Affected products (2)
2 with fix
ProductAffected VersionsFix Status
JT2Go: All< 13.213.2
Teamcenter Visualization: All< 13.213.2
Remediation & Mitigation
0/5
Do now
0/2WORKAROUNDImplement email filtering to block or warn on unexpected file attachments containing JT files from external sources
WORKAROUNDEducate users not to open JT files from untrusted sources
Schedule — requires maintenance window
0/2Patching may require device reboot — plan for process interruption
HOTFIXUpdate JT2Go to version 13.2 or later
HOTFIXUpdate Teamcenter Visualization to version 13.2 or later
Long-term hardening
0/1HARDENINGSegment engineering workstations from direct network access to production control systems and PLCs
CVEs (43)
CVE-2021-34333CVE-2021-34332CVE-2021-34331CVE-2021-34330CVE-2021-34329CVE-2021-34328CVE-2021-34327CVE-2021-34326CVE-2021-34325CVE-2021-34324CVE-2021-34323CVE-2021-34322CVE-2021-34321CVE-2021-34320CVE-2021-34319CVE-2021-34318CVE-2021-34317CVE-2021-34316CVE-2021-34315CVE-2021-34314CVE-2021-34313CVE-2021-34312CVE-2021-34311CVE-2021-34310CVE-2021-34309CVE-2021-34308CVE-2021-34307CVE-2021-34306CVE-2021-34305CVE-2021-34304CVE-2021-34303CVE-2021-34302CVE-2021-34301CVE-2021-34300CVE-2021-34299CVE-2021-34298CVE-2021-34297CVE-2021-34296CVE-2021-34295CVE-2021-34294CVE-2021-34293CVE-2021-34292CVE-2021-34291
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/52dc267d-2e20-4b34-80c3-7c8f4cda3c32