SSA-429204 Open Design Alliance Drawings SDK Vulnerabilities in JT2Go and Teamcenter Visualization
Plan Patch7.8SSA-429204Jul 12, 2022
Attack VectorLocal
Auth RequiredNone
ComplexityLow
User InteractionRequired
Summary
JT2Go and Teamcenter Visualization are affected by file parsing vulnerabilities in the Open Design Alliance Drawings SDK. When a user opens a malicious DWG (AutoCAD drawing) file with a vulnerable version of either product, the application may crash or arbitrary code may be executed. Siemens has released patched versions for all affected product lines: JT2Go 13.3.0.5, Teamcenter Visualization 12.4.0.15, 13.2.0.9, 13.3.0.5, and 14.0.0.2.
What this means
What could happen
An attacker could trick a user into opening a malicious DWG drawing file, causing JT2Go or Teamcenter Visualization to crash or potentially execute arbitrary code on the user's workstation. This could allow the attacker to access or modify engineering data, designs, or plant configurations.
Who's at risk
Design and engineering teams using Siemens JT2Go or Teamcenter Visualization for CAD/drawing review and collaboration. This affects any organization that uses these products to work with AutoCAD DWG files, including utilities that manage SCADA system diagrams, electrical schematics, or equipment layouts.
How it could be exploited
An attacker crafts a malicious DWG (drawing) file and delivers it via email or file sharing. When an engineer or technician opens the file with a vulnerable version of JT2Go or Teamcenter Visualization, the Drawings SDK parser processes the malformed file and either crashes the application or executes the attacker's code with the privileges of the logged-in user.
Prerequisites
- User must open a malicious DWG file with a vulnerable version of JT2Go or Teamcenter Visualization
- Social engineering or file delivery mechanism required (email attachment, USB, file share)
Requires user interaction (file open)Low attack complexityHigh impact if successful (code execution possible)Design/engineering data exposure risk
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (5)
5 with fix
ProductAffected VersionsFix Status
JT2Go< V13.3.0.513.3.0.5
Teamcenter Visualization V12.4< V12.4.0.1512.4.0.15
Teamcenter Visualization V13.2< V13.2.0.913.2.0.9
Teamcenter Visualization V13.3< V13.3.0.513.3.0.5
Teamcenter Visualization V14.0< V14.0.0.214.0.0.2
Remediation & Mitigation
0/8
Do now
0/3WORKAROUNDDisable DWG file opening if not required for business operations, or restrict file imports to drawings from trusted sources only
HARDENINGImplement email filtering rules to block or quarantine DWG file attachments from external senders
HARDENINGEducate engineering and design staff not to open DWG files from unknown or untrusted sources
Schedule — requires maintenance window
0/5Patching may require device reboot — plan for process interruption
JT2Go
HOTFIXUpdate JT2Go to version 13.3.0.5 or later
Teamcenter Visualization V12.4
HOTFIXUpdate Teamcenter Visualization V12.4 to version 12.4.0.15 or later
Teamcenter Visualization V13.2
HOTFIXUpdate Teamcenter Visualization V13.2 to version 13.2.0.9 or later
Teamcenter Visualization V13.3
HOTFIXUpdate Teamcenter Visualization V13.3 to version 13.3.0.5 or later
Teamcenter Visualization V14.0
HOTFIXUpdate Teamcenter Visualization V14.0 to version 14.0.0.2 or later
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/efce133b-9360-41e8-87ae-072e66b6add3