CVE-2021-34317: 
Siemens JT2Go vulnerability analysis and mitigation

A heap-based buffer overflow vulnerability (CVE-2021-34317) was discovered in Siemens JT2Go (all versions prior to V13.2) and Teamcenter Visualization (all versions prior to V13.2). The vulnerability exists within the parsing of PCX files, where the application lacks proper validation of user-supplied data prior to copying it to a fixed-length heap-based buffer. This vulnerability was reported on March 16, 2021, and publicly disclosed on July 19, 2021 (ZDI Advisory, CISA Advisory).

The vulnerability is tracked as ZDI-21-853 (ZDI-CAN-13402) and has been assigned a CVSS v3 base score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). The specific flaw exists in the BMP_loader.dll library which lacks proper validation of user-supplied data when parsing PCX files. This results in an out-of-bounds write past the fixed-length heap-based buffer (ZDI Advisory).

Successful exploitation of this vulnerability could allow remote attackers to execute arbitrary code on affected installations of Siemens JT2Go. The attacker can leverage this vulnerability to execute code in the context of the current process. User interaction is required for exploitation, as the target must visit a malicious page or open a malicious file (ZDI Advisory).

Siemens has released updates to address this vulnerability. Users should update to JT2Go version 13.2 or later. For Teamcenter Visualization, users should also update to version 13.2 or later. As a general security measure, Siemens strongly recommends protecting network access to devices with appropriate mechanisms and configuring the environment according to Siemens' Operational Guidelines for Industrial Security (CISA Advisory).