CVE-2021-34305: 
Siemens JT2Go vulnerability analysis and mitigation

A vulnerability has been identified in JT2Go and Teamcenter Visualization (all versions prior to V13.2). The Gif_loader.dll library in affected applications lacks proper validation of user-supplied data when parsing GIF files. This vulnerability was discovered in March 2021 and publicly disclosed on July 19, 2021 (ZDI Advisory, Siemens Advisory).

The vulnerability (CVE-2021-34305) is an out-of-bounds write issue that occurs during GIF file parsing. The specific flaw exists within the Gif_loader.dll library and results from improper validation of user-supplied data, which can lead to a write operation past the end of an allocated buffer structure. The vulnerability has been assigned a CVSS v3.1 base score of 7.8 (HIGH) with the vector: AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H (ZDI Advisory).

If successfully exploited, this vulnerability allows attackers to execute arbitrary code in the context of the current process, potentially leading to full system compromise. The vulnerability affects confidentiality, integrity, and availability of the system, with potential for unauthorized access to sensitive information, system modifications, and service disruptions (ZDI Advisory).

Siemens has released version 13.2 of JT2Go and Teamcenter Visualization to address this vulnerability. Users are strongly advised to update to this version or later to mitigate the risk. The fix is available through official Siemens support channels (Siemens Advisory).