[BreachExchange] New Research: RBS-2021-001 – Siemens JT2Go / Teamcenter Visualization

[Destry Winant]

https://www.riskbasedsecurity.com/research/rbs-2021-001-siemens-jt2go-teamcenter-visualization/

Vendor / Product Information

“JT2Go is the industry leading no charge 3D JT viewing tool. JT2Go has
been unanimously embraced by industry leaders as the premier free
viewing tool for JT data. By providing a comprehensive Desktop
application and mobile platform solutions on iOS and Android, Siemens
has made viewing of JT data available for everyone in nearly any
situation.”

Source:
https://www.plm.automation.siemens.com/global/en/products/plm-components/jt2go.html

Vulnerable Program Details

Details for tested products and versions:

Vendor: Siemens
Product: JT2Go
Version: 13.0.20227

NOTE: The vendor states in their security advisory that versions prior
to 13.1.0 are affected. They also list the Teamcenter Visualization
product as vulnerable.

Credits

Carsten Eiram, Risk Based Security
Twitter: @RiskBased

Vulnerability Details

Siemens JT2Go and Teamcenter Visualization contain multiple
vulnerabilities that are triggered when parsing various file formats.
This may allow context-dependent attackers to execute arbitrary code
on a user’s system when tricked into opening a malicious file.

VisDraw.dll CGM File Font String Handling Stack Buffer Overflow (CVE-2020-26992)

During the parsing of CGM image files a function in VisDraw.dll is
called to parse the font information. A font string is located in the
image and copied straight into a 160 byte stack buffer without
performing any boundary checks. This may lead to a stack-based buffer
overflow when opening a CGM file containing an overly long font
string.

VisDraw.dll Draw::GetFontIndexAndName() Function CGM File Font
Handling Stack Buffer Overflow (CVE-2020-26993)

During the parsing of CGM image files the exported
Draw::GetFontIndexAndName() function in VisDraw.dll is called to parse
the font information. A font string is located in the image and copied
straight into a 80 byte stack buffer without performing any boundary
checks. This may lead to a stack-based buffer overflow when opening a
CGM file containing an overly long font string.

BMP_Loader.dll PCX File Handling Heap Buffer Overflow (CVE-2020-26994)

During the parsing of PCX image files a function is called in
BMP_Loader.dll. Content is copied into a heap buffer based on the
number of planes and bytes per line listed in the PCX file without
performing proper boundary checks. This may lead to a heap-based
buffer overflow when opening a specially crafted PCX file.

Jt971.dll JTNode Destructor Type Confusion Invalid Pointer Dereference
(CVE-2020-26980)

During the parsing of JT files a type confusion flaw may occur in the
JTNode destructor in Jt971.dll. This may lead to an invalid data being
dereferenced as a virtual function pointer and could lead to arbitrary
code execution when opening a specially crafted JT file.

Jt971.dll JtBitLengthCodec2::decode() Function Heap Buffer Overflow
(CVE-2020-26986)

During the parsing of JT files the JtBitLengthCodec2::decode()
function in Jt971.dll is called to decode content that is copied into
a heap buffer based on values in the JT file without performing proper
boundary checks. This may lead to a heap-based buffer overflow when
opening a specially crafted JT file.

Solution

Upgrade to version 13.1.0.

References

VulnDB: 246681, 246682, 246683, 246684, 246685
Siemens: https://cert-portal.siemens.com/productcert/pdf/ssa-622830.pdf,
https://cert-portal.siemens.com/productcert/txt/ssa-622830.txt
CVE: CVE-2020-26980, CVE-2020-26986, CVE-2020-26992, CVE-2020-26993,
CVE-2020-26994

Timeline

2020-10-19:First three vulnerabilities reported to the vendor.
2020-10-19:Vendor response received.
2020-10-30:Two additional vulnerabilities reported to the vendor.
2020-10-30:Vendor response received.
2021-01-12:Vendor releases security advisory and updated version.
2021-01-12:Alert sent to RBS VulnDB clients and publication of this
vulnerability report.