XML File Parsing Vulnerabilities in Teamcenter Visualization and JT2Go

Plan Patch7.8SSA-959281Oct 8, 2024

Attack VectorLocal

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

Siemens Teamcenter Visualization and JT2Go contain stack buffer overflow (CWE-121) and null pointer dereference (CWE-476) vulnerabilities in XML file parsing. If a user opens a malicious XML file in any of the affected products, the application may crash or execute arbitrary code with user privileges. The vulnerabilities are triggered during XML parsing with no additional authentication required.

What this means

What could happen

An attacker could craft a malicious XML file that, when opened by a user in Teamcenter Visualization or JT2Go, causes the application to crash or runs arbitrary commands with the privileges of the user. This disrupts design review and manufacturing planning workflows in facilities that rely on these tools.

Who's at risk

Engineering and manufacturing teams using Siemens Teamcenter Visualization (versions 14.2, 14.3, 2312, or 2406) or JT2Go on engineering workstations. This affects design review, CAD visualization, and manufacturing planning in factories and design offices.

How it could be exploited

An attacker crafts a malicious XML file and sends it to a user via email, file share, or website. When the user opens the file in Teamcenter Visualization or JT2Go, the application attempts to parse the XML. The parsing logic contains a buffer overflow or null pointer dereference that the attacker's XML triggers, causing either a crash or code execution on the user's workstation.

Prerequisites

User must open a malicious XML file with Teamcenter Visualization or JT2Go
No network access required; exploit is local to the workstation
No special credentials or configuration needed

User interaction required (social engineering)Local code execution possibleLow complexity exploitAll affected products have patches available

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (5)

5 with fix

ProductAffected VersionsFix Status

JT2Go< V2406.00032406.0003

Teamcenter Visualization V14.2< V14.2.0.1314.2.0.13

Teamcenter Visualization V14.3< V14.3.0.1114.3.0.11

Teamcenter Visualization V2312< V2312.00082312.0008

Teamcenter Visualization V2406< V2406.00032406.0003

Remediation & Mitigation

0/7

Do now

0/2

HARDENINGEducate users not to open XML files from untrusted or unexpected sources

WORKAROUNDConsider disabling XML file associations or opening behavior in Teamcenter if not required for operations

Schedule — requires maintenance window

0/5

Patching may require device reboot — plan for process interruption

JT2Go

HOTFIXUpdate JT2Go to version 2406.0003 or later

Teamcenter Visualization V14.2

HOTFIXUpdate Teamcenter Visualization V14.2 to version 14.2.0.13 or later

Teamcenter Visualization V14.3

HOTFIXUpdate Teamcenter Visualization V14.3 to version 14.3.0.11 or later

Teamcenter Visualization V2312

HOTFIXUpdate Teamcenter Visualization V2312 to version 2312.0008 or later

Teamcenter Visualization V2406

HOTFIXUpdate Teamcenter Visualization V2406 to version 2406.0003 or later

CVEs (2)

CVE-2024-37996 CVE-2024-37997

View full Siemens ProductCERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/ce4715f3-21a0-4e7d-9d4d-cf57c3b9d58c