Last week, Siemens informed its customers that some of its product development solutions are affected by twelve vulnerabilities, which hackers can be exploited to execute arbitrary code maliciously archives.
The vulnerabilities were discovered by some researchers and their discovery was coordinated through the Zero Day Initiative (ZDI) of Trend Micro and CISA, which published its own advisory. Affected products have been developed by Siemens Digital Industries Software, which specializes in product lifecycle management (PLM) solutions.
Siemens and CISA publish consulting on 18 vulnerabilities affecting Siemens JT2Go, a promotional tool 3D for JT date (ISO 3D standard format) and Teamcenter Visualization, which provides organization visualization solutions for documents, 2D drawings and 3D models. In addition, a second consultation was published on six vulnerabilities affecting the Siemens Solid Edge, a solution that provides tools software for 3D design, simulation and construction.
Most vulnerabilities are serious and can lead to arbitrary execution code in the context of the targeted process. A vulnerability can lead to information leakage and has been described as "moderate" in severity.
Additionally, code execution vulnerabilities are associated with inadequate validation of user-provided data when parsing certain file types, leading to memory corruption vulnerabilities. To make a attack, intruders must convince the target user to open a specially constructed file.
The types of files that can be used to activate vulnerabilities are JT, CG4, CGM, PDF, RGB, TGA, PAR, ASM, PCX, SGI and DFT. Although the description for all vulnerabilities is similar, a separate CVE ID has been assigned to each variant of a vulnerability.