Multiple File Parsing Vulnerabilities in Teamcenter Visualization and JT2Go

Plan Patch7.8SSA-120378Nov 8, 2022

Attack VectorLocal

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

Siemens Teamcenter Visualization and JT2Go contain multiple file parsing vulnerabilities in the TIF, CGM, and PDF handlers due to improper input validation (CWE-122, CWE-787, CWE-125, CWE-416, CWE-121). When a user opens a malicious file in one of these formats, the parser can crash the application or allow arbitrary code execution.

What this means

What could happen

A user opening a malicious TIF, CGM, or PDF file in Teamcenter Visualization or JT2Go could crash the application or allow an attacker to run arbitrary commands on the engineering workstation, potentially accessing sensitive design data or CAD models.

Who's at risk

This affects organizations using Siemens Teamcenter Visualization or JT2Go, particularly engineering and design teams who work with CAD models, TIF images, CGM graphics, and PDF documents. Manufacturing plants and engineering firms managing product design workflows should prioritize patching engineering workstations.

How it could be exploited

An attacker crafts a malicious TIF, CGM, or PDF file and tricks a user (typically an engineer or designer) into opening it with Teamcenter Visualization or JT2Go. The vulnerable file parser fails to validate input correctly, triggering a memory corruption vulnerability that crashes the application or executes arbitrary code with the user's privileges.

Prerequisites

User interaction required: the user must open a malicious file
Affected product must be installed and used to open files
Attacker must be able to deliver the malicious file to the user (e.g., email, shared folder, download link)

requires user interactionaffects engineering workstationsmemory corruption vulnerabilities

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (6)

6 with fix

ProductAffected VersionsFix Status

JT2GoAll versions < V14.1.0.414.1.0.4

Teamcenter Visualization V13.2< V13.2.0.1213.2.0.12

Teamcenter Visualization V13.3< V13.3.0.713.3.0.7

Teamcenter Visualization V13.3≥ V13.3.0.7< V13.3.0.813.3.0.8

Teamcenter Visualization V14.0< V14.0.0.314.0.0.3

Teamcenter Visualization V14.1< V14.1.0.414.1.0.4

Remediation & Mitigation

0/6

Schedule — requires maintenance window

0/5

Patching may require device reboot — plan for process interruption

JT2Go

HOTFIXUpdate JT2Go to version 14.1.0.4 or later

Teamcenter Visualization V13.2

HOTFIXUpdate Teamcenter Visualization V13.2 to version 13.2.0.12 or later

Teamcenter Visualization V13.3

HOTFIXUpdate Teamcenter Visualization V13.3 to version 13.3.0.8 or later

Teamcenter Visualization V14.0

HOTFIXUpdate Teamcenter Visualization V14.0 to version 14.0.0.3 or later

Teamcenter Visualization V14.1

HOTFIXUpdate Teamcenter Visualization V14.1 to version 14.1.0.4 or later

Long-term hardening

0/1

HARDENINGRestrict file opening to trusted sources and educate users not to open TIF, CGM, or PDF files from untrusted senders

CVEs (6)

CVE-2022-39136 CVE-2022-41660 CVE-2022-41661 CVE-2022-41662 CVE-2022-41663 CVE-2022-41664

View full Siemens ProductCERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/2016eeaa-b7a6-48ce-81a6-2d99cdab106a