Siemens fixed tens of flaws in Siemens Digital Industries Software products

Siemens has addressed tens of vulnerabilities in Siemens Digital Industries Software products that can allow arbitrary code execution.

Siemens has addressed 18 vulnerabilities affecting some products of Siemens Digital Industries Software which provides product lifecycle management (PLM) solutions.

The vulnerabilities affect Siemens JT2Go, a 3D viewing tool for JT data (ISO-standardized 3D data format) and the Teamcenter Visualization solution. JT2Go is a 3D JT viewing tool to allows its customers to view JT, PDF, Solid Edge, PLM XML with available JT, VFZ, CGM, and TIF data. Teamcenter Visualization software provides a comprehensive family of visualization solutions to access documents, 2D drawings and 3D models in a single environment.

“JT2Go and Teamcenter Visualization are affected by multiple vulnerabilities that could lead to arbitrary code execution or data extraction on the target host system. Siemens has released updates for both affected products and recommends to update to the latest versions.” states the advisory published by the vendor.

The company recommends limiting the opening of untrusted files in systems where JT2Go or Teamcenter Visualisation is installed to mitigate the risk of attacks exploiting these issues. It also suggests applying a Defense-in-Depth concept to reduce the probability that the untrusted code is run on the system.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) also published an advisory related to these security flaws.

According to CISA, the addressed flaws include Type Confusion, Improper Restriction of XML External Entity Reference, Out-of-bounds Write, Heap-based Buffer Overflow, Stack-based Buffer Overflow, Untrusted Pointer Dereference, and Out-of-bounds Read.

The following products are affected by the vulnerabilities addressed by Siemens:

JT2Go: All versions prior to v13.1.0
JT2Go: Version 13.1.0. only affected by CVE-2020-26989, CVE-2020-26990, CVE-2020-26991
Teamcenter Visualization: All versions prior to V13.1.0
Teamcenter Visualization: Version 13.1.0 only affected by CVE-2020-26989, CVE-2020-26990, CVE-2020-26991

Several vulnerabilities addressed by the vendor received a CVSS v3 base score of 7.8, including:

The flaws were reported by two researchers through Trend Micro’s Zero Day Initiative (ZDI) and the U.S. CISA.

Siemens also addressed six vulnerabilities in its Solid Edge solution that provides software tools for 3D design, simulation and manufacturing. The flaws could lead arbitrary code execution and information disclosure.

“Solid Edge is affected by multiple vulnerabilities that could allow arbitrary code execution on an affected system. Siemens has released an update for Solid Edge and recommends to update to the latest version.” reads the advisory.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Siemens)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.