Multiple Vulnerabilities in Siemens JT2Go and Teamcenter Visualization

DESCRIPTION:
Multiple vulnerabilities have been discovered in Siemens’ JT2Go and
Teamcenter Visualization products, the most severe of which could allow
for arbitrary code execution in the context of the system process. JT2Go
and Teamcenter Visualization are used for viewing 3D models. Depending
on the privileges associated with the application, an attacker could
view, change, or delete data. If this application has been configured to
have fewer user rights on the system, exploitation of the most severe of
these vulnerabilities could have less impact than if it was configured
with administrative rights.

IMPACT:
Multiple vulnerabilities have been discovered in Siemens’ JT2Go and
Teamcenter Visualization products, the most severe of which could allow
for arbitrary code execution in the context of the system process.
Exploits can be triggered by an unsuspecting user opening a malicious
file with the vulnerable software.

Details of the vulnerabilities are as follows:

* An XML External Entity injection vulnerability (CVE-2020-26981)
* An out-of-bounds write error when parsing ‘CG4’ and ‘CGM’ files
(CVE-2020-26982 and CVE-2020-26996)
* An out-of-bounds write error when parsing ‘JT’ files (CVE-2020-26984)
* An out-of-bounds write error when parsing ‘PAR’ files (CVE-2020-26988
and CVE-2020-28383)
* An out-of-bounds write error when parsing ‘PDF’ files (CVE-2020-26983)
* An out-of-bounds write error when parsing ‘RGB’ and ‘SGI’ files
(CVE-2020-26995)
* A heap-based buffer-overflow when parsing ‘JT’ files (CVE-2020-26986)
* A heap-based buffer-overflow when parsing ‘PCX’ files (CVE-2020-26994)
* A heap-based buffer-overflow when parsing ‘RGB’ and ‘SGI’ files
(CVE-2020-26985)
* A heap-based buffer-overflow when parsing ‘TGA’ files (CVE-2020-26987)
* A stack-based buffer-overflow when parsing ‘CGM’ files (CVE-2020-26992
and CVE-2020-26993)
* A stack-based buffer-overflow when parsing ‘PAR’ files (CVE-2020-26989)
* A type-confusion vulnerability when parsing JT files (CVE-2020-26980)
* A type-confusion vulnerability when parsing ‘ASM’ files (CVE-2020-26990)
* An untrusted pointer dereference when parsing ‘ASM’ files (CVE-2020-26991)

Successful exploitation of the most severe of these vulnerabilities
could allow an attacker to execute arbitrary code in the context of the
browser. Depending on the privileges associated with the application, an
attacker could view, change, or delete data. If this application has
been configured to have fewer user rights on the system, exploitation of
the most severe of these vulnerabilities could have less impact than if
it was configured with administrative rights.

SYSTEM AFFECTED:
* JT2Go versions prior to 13.1.0
* Teamcenter Visualization versions prior to 13.1.0

RECOMMENDATIONS:
We recommend the following actions be taken:

* Install the updates provided by Siemens immediately after appropriate
testing.
* Remind users not to visit un-trusted websites or follow links provided
by unknown or un-trusted sources.
* Inform and educate users regarding the threats posed by hypertext
links contained in emails or attachments especially from un-trusted sources.
* Apply the Principle of Least Privilege to all systems and services;
run all software as a nonprivileged user with minimal access rights.

REFERENCES:
https://cert-portal.siemens.com/productcert/pdf/ssa-622830.pdf
https://us-cert.cisa.gov/ics/advisories/icsa-21-012-03