CVE-2021-44017: 
Siemens JT2Go vulnerability analysis and mitigation

A vulnerability has been identified in JT2Go (All versions < V13.2.0.5) and Teamcenter Visualization (All versions < V13.2.0.5). The vulnerability, tracked as CVE-2021-44017, involves an out-of-bounds read issue in Image.dll when parsing specially crafted TIF files. This vulnerability was discovered by Mat Powell of Trend Micro Zero Day Initiative and was disclosed on December 14, 2021 (NVD, ZDI).

The vulnerability is classified as an out-of-bounds read (CWE-125) that occurs when parsing TIF files. The CVSS v3.1 base score is 5.5 MEDIUM (Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N). The issue specifically exists within the Image.dll component and results from the lack of proper validation of user-supplied data, which can lead to a read past the end of an allocated buffer (ZDI, NVD).

An attacker could leverage this vulnerability to leak sensitive information in the context of the current process. The vulnerability requires user interaction, as the target must visit a malicious page or open a malicious file to trigger the exploit (ZDI).

Siemens has released patches to address this vulnerability. Users are recommended to update to JT2Go version 13.2.0.5 or later, and Teamcenter Visualization version 13.2.0.5 or later. As additional mitigation, Siemens recommends avoiding opening untrusted files from unknown sources in JT2Go and Teamcenter Visualization (CISA).