BreachExchange mailing list archives
New Research: RBS-2021-001 – Siemens JT2Go / Teamcenter Visualization
From: Destry Winant <destry () riskbasedsecurity com>
Date: Wed, 13 Jan 2021 07:52:36 -0600
https://www.riskbasedsecurity.com/research/rbs-2021-001-siemens-jt2go-teamcenter-visualization/ Vendor / Product Information “JT2Go is the industry leading no charge 3D JT viewing tool. JT2Go has been unanimously embraced by industry leaders as the premier free viewing tool for JT data. By providing a comprehensive Desktop application and mobile platform solutions on iOS and Android, Siemens has made viewing of JT data available for everyone in nearly any situation.” Source: https://www.plm.automation.siemens.com/global/en/products/plm-components/jt2go.html Vulnerable Program Details Details for tested products and versions: Vendor: Siemens Product: JT2Go Version: 13.0.20227 NOTE: The vendor states in their security advisory that versions prior to 13.1.0 are affected. They also list the Teamcenter Visualization product as vulnerable. Credits Carsten Eiram, Risk Based Security Twitter: @RiskBased Vulnerability Details Siemens JT2Go and Teamcenter Visualization contain multiple vulnerabilities that are triggered when parsing various file formats. This may allow context-dependent attackers to execute arbitrary code on a user’s system when tricked into opening a malicious file. VisDraw.dll CGM File Font String Handling Stack Buffer Overflow (CVE-2020-26992) During the parsing of CGM image files a function in VisDraw.dll is called to parse the font information. A font string is located in the image and copied straight into a 160 byte stack buffer without performing any boundary checks. This may lead to a stack-based buffer overflow when opening a CGM file containing an overly long font string. VisDraw.dll Draw::GetFontIndexAndName() Function CGM File Font Handling Stack Buffer Overflow (CVE-2020-26993) During the parsing of CGM image files the exported Draw::GetFontIndexAndName() function in VisDraw.dll is called to parse the font information. A font string is located in the image and copied straight into a 80 byte stack buffer without performing any boundary checks. This may lead to a stack-based buffer overflow when opening a CGM file containing an overly long font string. BMP_Loader.dll PCX File Handling Heap Buffer Overflow (CVE-2020-26994) During the parsing of PCX image files a function is called in BMP_Loader.dll. Content is copied into a heap buffer based on the number of planes and bytes per line listed in the PCX file without performing proper boundary checks. This may lead to a heap-based buffer overflow when opening a specially crafted PCX file. Jt971.dll JTNode Destructor Type Confusion Invalid Pointer Dereference (CVE-2020-26980) During the parsing of JT files a type confusion flaw may occur in the JTNode destructor in Jt971.dll. This may lead to an invalid data being dereferenced as a virtual function pointer and could lead to arbitrary code execution when opening a specially crafted JT file. Jt971.dll JtBitLengthCodec2::decode() Function Heap Buffer Overflow (CVE-2020-26986) During the parsing of JT files the JtBitLengthCodec2::decode() function in Jt971.dll is called to decode content that is copied into a heap buffer based on values in the JT file without performing proper boundary checks. This may lead to a heap-based buffer overflow when opening a specially crafted JT file. Solution Upgrade to version 13.1.0. References VulnDB: 246681, 246682, 246683, 246684, 246685 Siemens: https://cert-portal.siemens.com/productcert/pdf/ssa-622830.pdf, https://cert-portal.siemens.com/productcert/txt/ssa-622830.txt CVE: CVE-2020-26980, CVE-2020-26986, CVE-2020-26992, CVE-2020-26993, CVE-2020-26994 Timeline 2020-10-19:First three vulnerabilities reported to the vendor. 2020-10-19:Vendor response received. 2020-10-30:Two additional vulnerabilities reported to the vendor. 2020-10-30:Vendor response received. 2021-01-12:Vendor releases security advisory and updated version. 2021-01-12:Alert sent to RBS VulnDB clients and publication of this vulnerability report. _______________________________________________ BreachExchange mailing list sponsored by Risk Based Security BreachExchange () lists riskbasedsecurity com If you wish to Edit your membership or Unsubscribe you can do so at the following link: https://lists.riskbasedsecurity.com/listinfo/breachexchange
Current thread:
- New Research: RBS-2021-001 – Siemens JT2Go / Teamcenter Visualization Destry Winant (Jan 13)