-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

# SSA-938030: DGN and PAR File Parsing Vulnerabilities in JT2Go and Teamcenter
Visualization before V13.2.0.2

Publication Date:        2021-08-10
Last Update:             2021-09-14
Current Version:         1.1
CVSS v3.1 Base Score:    7.8

SUMMARY
=======

Siemens has released version V13.2.0.2 for JT2Go and Teamcenter
Visualization to fix three vulnerabilities that could be triggered while
parsing DGN or PAR files. If a user is tricked to open a malicious file
with the affected products, this could lead the application to crash or
potential arbitrary code execution.

Siemens recommends to update to the latest versions and to limit opening
of untrusted files from unknown sources in the affected products.

Note:

- -   This advisory also covers security vulnerabilities recently
    disclosed by Open Design Alliance [0]

[0] https://www.opendesign.com/security-advisories


AFFECTED PRODUCTS AND SOLUTION
==============================


* JT2Go 
  - Affected versions:
       All versions < V13.2.0.2
  - Remediation:
       Update to V13.2.0.2 or later version
  - Download:
       https://www.plm.automation.siemens.com/global/en/products/plm-components/jt2go.html

* Teamcenter Visualization 
  - Affected versions:
       All versions < V13.2.0.2
  - Remediation:
       Update to V13.2.0.2 or later version
  - Download:
       https://support.sw.siemens.com/ (login required)


WORKAROUNDS AND MITIGATIONS
===========================

Siemens has identified the following specific workarounds and mitigations that
customers can apply to reduce the risk:

* Avoid to open untrusted files from unknown sources in JT2Go and
Teamcenter Visualization



GENERAL SECURITY RECOMMENDATIONS
================================

As a general security measure, Siemens strongly recommends to protect
network access to devices with appropriate mechanisms. In order to
operate the devices in a protected IT environment, Siemens recommends to
configure the environment according to Siemens' operational guidelines
for Industrial Security (Download:
https://www.siemens.com/cert/operational-guidelines-industrial-security),
and to follow the recommendations in the product manuals.

Additional information on Industrial Security by Siemens can be found
at: https://www.siemens.com/industrialsecurity

PRODUCT DESCRIPTION
===================

JT2Go is a 3D JT viewing tool to allow users to view JT, PDF, Solid
Edge, PLM XML with available JT, VFZ, CGM, and TIF data.

Teamcenter Visualization software enables enterprises to enhance their
product lifecycle management (PLM) environment with a comprehensive
family of visualization solutions. The software enables enterprise users
to access documents, 2D drawings and 3D models in a single environment.

VULNERABILITY CLASSIFICATION
============================

The vulnerability classification has been performed by using the CVSS scoring
system in version 3.1 (CVSS v3.1) (https://www.first.org/cvss/). The CVSS
environmental score is specific to the customer's environment and will impact
the overall CVSS score. The environmental score should therefore be
individually defined by the customer to accomplish final scoring.

An additional classification has been performed using the CWE classification, a
community-developed list of common software security weaknesses. This serves as
a common language and as a baseline for weakness identification, mitigation,
and prevention efforts. A detailed list of CWE classes can be found at:
https://cwe.mitre.org/.



* Vulnerability CVE-2021-32946

  An improper check for unusual or exceptional conditions issue exists
  within the parsing DGN files from Open Design Alliance Drawings SDK
  (Version 2022.4 and prior) resulting from the lack of proper validation
  of the user-supplied data. This may result in several of out-of-bounds
  problems and allow attackers to cause a denial-of-service condition or
  execute code in the context of the current process.

  CVSS v3.1 Base Score: 7.8
  CVSS Vector:          CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
  CWE:                  CWE-754: Improper Check for Unusual or Exceptional Conditions

* Vulnerability CVE-2021-32952

  An out-of-bounds write issue exists in the DGN file-reading procedure in
  the Drawings SDK (Version 2022.4 and prior) resulting from the lack of
  proper validation of user-supplied data. This can result in a write past
  the end of an allocated buffer and allow attackers to cause a
  denial-of-service condition or execute code in the context of the
  current process.

  CVSS v3.1 Base Score: 7.8
  CVSS Vector:          CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
  CWE:                  CWE-787: Out-of-bounds Write

* Vulnerability CVE-2021-33738

  The plmxmlAdapterSE70.dll library in affected applications lacks proper
  validation of user-supplied data when parsing PAR files. This could
  result in an out of bounds read past the end of an allocated buffer. An
  attacker could leverage this vulnerability to leak information in the
  context of the current process. (ZDI-CAN-13405)

  CVSS v3.1 Base Score: 3.3
  CVSS Vector:          CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C
  CWE:                  CWE-125: Out-of-bounds Read


ACKNOWLEDGMENTS
===============

Siemens thanks the following parties for their efforts:

   * Trend Micro Zero Day Initiative for coordinated disclosure
   * Open Design Alliance for coordination efforts



ADDITIONAL INFORMATION
======================
For more details regarding the vulnerabilities in Open Design Alliance
(ODA) Drawings SDK (CVE-2021-32946 and CVE-2021-32952) refer to the ODA
Security Advisories at https://www.opendesign.com/security-advisories.

For further inquiries on security vulnerabilities in Siemens products and
solutions, please contact the Siemens ProductCERT:

https://www.siemens.com/cert/advisories


HISTORY DATA
============

V1.0 (2021-08-10): Publication Date
V1.1 (2021-09-14): Added download links for the fix releases

TERMS OF USE
============

Siemens Security Advisories are subject to the terms and conditions contained
in Siemens' underlying license terms or other applicable agreements previously
agreed to with Siemens (hereinafter "License Terms"). To the extent applicable
to information, software or documentation made available in or through a
Siemens Security Advisory, the Terms of Use of Siemens' Global Website
(https://www.siemens.com/terms_of_use, hereinafter "Terms of Use"), in
particular Sections 8-10 of the Terms of Use, shall apply additionally. In case
of conflicts, the License Terms shall prevail over the Terms of Use.
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEElTRCLAVwzKf/b8X80/SB6hFKr+QFAmE/5gAACgkQ0/SB6hFK
r+RTqQ//R4Q8uGZatj0KtgIP/yOQkD6FPbasB7d8nEIFbfvXNhlj9Rrt77BECJ/X
KbdcQ4k7DXuqnLMCzdSO3f77CcizFHP2uJ+h4AhuT3iGLn8Nm0NOI+ly0RrcRRD4
dwGInPGAJdgNVhsUU5klgdQw1slAwU/ONchU0R9SEuUvS2Tgnzq4muy7dbtFTx79
Jib354r+Hq1ovPYqUSd1UTc3jj1zaRb679bnu+oLfaRiGywG51Y8fvtaqPt9oMNg
2WLsYaZkd0xl3ufhZl0M/Zr1FtI2EiH3Gs5D3r0MWmWZm+uz7DPnGCICN2wBpdIG
3f+A6V2tM2euscuSrdq0jRxfhStDk3vYXlwPrqt1YOOTZrSR91OU3bZnn9YhoeIH
Qkb4dTs82lmNiP6t1ECra2o1tYI3BZ5NcsPJRM8qh0YEzftoZ52KAgVbxvCaydZR
yMQarzoJQhvLt63mUcuKEDq1FV6rkM9o0v/+vzfwL86VQuGWtW6/F4W32ux59SLq
euntwx46lSCMh6oJhRPM1xVkaOf/0EC1JvxYXPYl16N4Y6NCTUc51qBlO8onhBFh
KzIaIkF1k8uoLl/ZFLJneRpuuIgCZ+1+8r/H+AbW2URlO+aJyOXDglZQnrhcbExz
8XIzXa2Bfi7yltf+ecmE84XoasCr71hzKG0Ilx98CMTuOk+Q2D0=
=RFx8
-----END PGP SIGNATURE-----