RBS-2021-001 – Siemens JT2Go / Teamcenter Visualization

Siemens JT2Go / Teamcenter Visualization Multiple Vulnerabilities

Vendor / Product information

“JT2Go is the industry leading no charge 3D JT viewing tool. JT2Go has been unanimously embraced by industry leaders as the premier free viewing tool for JT data. By providing a comprehensive Desktop application and mobile platform solutions on iOS and Android, Siemens has made viewing of JT data available for everyone in nearly any situation.”

Source:
https://www.plm.automation.siemens.com/global/en/products/plm-components/jt2go.html

Vulnerable program details

Details for tested products and versions:

Vendor: Siemens
Product: JT2Go
Version: 13.0.20227

NOTE: The vendor states in their security advisory that versions prior to 13.1.0 are affected. They also list the Teamcenter Visualization product as vulnerable.

Credits

[name, org]
Twitter: [@username]

Vulnerability details

Siemens JT2Go and Teamcenter Visualization contain multiple vulnerabilities that are triggered when parsing various file formats. This may allow context-dependent attackers to execute arbitrary code on a user’s system when tricked into opening a malicious file.

VisDraw.dll CGM File Font String Handling Stack Buffer Overflow (CVE-2020-26992)

During the parsing of CGM image files a function in VisDraw.dll is called to parse the font information. A font string is located in the image and copied straight into a 160 byte stack buffer without performing any boundary checks. This may lead to a stack-based buffer overflow when opening a CGM file containing an overly long font string.

VisDraw.dll Draw::GetFontIndexAndName() Function CGM File Font Handling Stack Buffer Overflow (CVE-2020-26993)

During the parsing of CGM image files the exported Draw::GetFontIndexAndName() function in VisDraw.dll is called to parse the font information. A font string is located in the image and copied straight into a 80 byte stack buffer without performing any boundary checks. This may lead to a stack-based buffer overflow when opening a CGM file containing an overly long font string.

BMP_Loader.dll PCX File Handling Heap Buffer Overflow (CVE-2020-26994)

During the parsing of PCX image files a function is called in BMP_Loader.dll. Content is copied into a heap buffer based on the number of planes and bytes per line listed in the PCX file without performing proper boundary checks. This may lead to a heap-based buffer overflow when opening a specially crafted PCX file.

Jt971.dll JTNode Destructor Type Confusion Invalid Pointer Dereference (CVE-2020-26980)

During the parsing of JT files a type confusion flaw may occur in the JTNode destructor in Jt971.dll. This may lead to an invalid data being dereferenced as a virtual function pointer and could lead to arbitrary code execution when opening a specially crafted JT file.

Jt971.dll JtBitLengthCodec2::decode() Function Heap Buffer Overflow (CVE-2020-26986)

During the parsing of JT files the JtBitLengthCodec2::decode() function in Jt971.dll is called to decode content that is copied into a heap buffer based on values in the JT file without performing proper boundary checks. This may lead to a heap-based buffer overflow when opening a specially crafted JT file.

Proof of concept

Solution

Upgrade to version 13.1.0.

References

VulnDB: 246681, 246682, 246683, 246684, 246685

Siemens: https://cert-portal.siemens.com/productcert/pdf/ssa-622830.pdf, https://cert-portal.siemens.com/productcert/txt/ssa-622830.txt

CVE: CVE-2020-26980, CVE-2020-26986, CVE-2020-26992, CVE-2020-26993, CVE-2020-26994

Timeline

• 2020-10-19: First three vulnerabilities reported to the vendor.
• 2020-10-19: Vendor response received.
• 2020-10-30: Two additional vulnerabilities reported to the vendor.
• 2020-10-30: Vendor response received.
• 2021-01-12: Vendor releases security advisory and updated version.
• 2021-01-12: Alert sent to RBS VulnDB clients and publication of this vulnerability report.