JT File Parsing Vulnerabilities in JT Open, JT Utilities and Parasolid

Plan Patch7.8SSA-836777Feb 14, 2023

Attack VectorLocal

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

JT Open Toolkit, JT Utilities, and Parasolid contain memory corruption vulnerabilities (buffer overflow and out-of-bounds read) that are triggered when parsing JT files. An attacker could craft a malicious JT file that, when opened by a user, causes the application to crash or execute arbitrary code. Siemens has released patches for all affected product versions.

What this means

What could happen

If an operator or engineer opens a malicious JT file in any of these products, the application could crash (causing loss of access to design or manufacturing data) or an attacker could run commands with the privileges of the user, potentially compromising CAD/CAM systems and the designs they contain.

Who's at risk

Manufacturers and design engineering teams using JT Open Toolkit, JT Utilities, or Parasolid (part of Siemens digital manufacturing and PLM software suite) are affected. This includes CAD technicians, design engineers, and any personnel who work with JT file format in design, simulation, or manufacturing planning roles. Affected organizations may include automotive, aerospace, industrial equipment manufacturers, and engineering firms.

How it could be exploited

An attacker creates a malicious JT file with specially crafted data that triggers a memory corruption bug in the file parser. The attacker sends or hosts the file where a user (designer, engineer, or technician) might download or open it. When the user opens the file in JT Open, JT Utilities, or Parasolid, the parser fails to properly validate data, causing a buffer overflow or out-of-bounds read. This crashes the application or allows the attacker to execute arbitrary code in the context of that user.

Prerequisites

<parameter name="item">User must open a malicious JT file in one of the affected products

<parameter name="item">Low complexity exploitation

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (7)

7 with fix

ProductAffected VersionsFix Status

JT Open< V11.2.3.011.2.3.0

JT Utilities< V13.2.3.013.2.3.0

Parasolid V34.0< V34.0.25234.0.252

Parasolid V34.0< V34.0.25434.0.254

Parasolid V34.1< V34.1.24234.1.242

Parasolid V35.0< V35.0.17035.0.170

Parasolid V35.1< V35.1.15035.1.150

Remediation & Mitigation

Update to V11.2.3.0 or later version Update to V13.2.3.0 or later version Update to V34.0.252 or later version Update to V34.1.242 or later version Update to V35.0.170 or later version

CVEs (3)

CVE-2022-47936 CVE-2022-47977 CVE-2023-25140

View full Siemens ProductCERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/a2261fd8-8bee-40b1-bef4-11d254ac93a0