CVE-2024-34086: 
Siemens JT2Go vulnerability analysis and mitigation

CVE-2024-34086 is a vulnerability identified in JT2Go and Teamcenter Visualization software products. The vulnerability affects multiple versions including JT2Go (All versions < V2312.0001), Teamcenter Visualization V14.1 (< V14.1.0.13), V14.2 (< V14.2.0.10), V14.3 (< V14.3.0.7), and Teamcenter Visualization V2312 (< V2312.0001). The issue was discovered by Nafiez from Logix Advisor and was reported to Siemens (Siemens Advisory).

The vulnerability is classified as an out-of-bounds write vulnerability (CWE-787) that occurs when parsing specially crafted CGM files. It has been assigned a CVSS v3.1 base score of 7.8 (HIGH) with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, and a CVSS v4.0 base score of 7.3 with the vector string CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N (Siemens Advisory).

If successfully exploited, this vulnerability could allow an attacker to execute code in the context of the current process. The vulnerability affects critical manufacturing sectors worldwide, particularly organizations using Siemens' Teamcenter Visualization software for product lifecycle management and JT2Go for 3D viewing (CISA Advisory).

Siemens has released updates to address this vulnerability and recommends users to update to the following versions: JT2Go to V2312.0001 or later, Teamcenter Visualization V14.1 to V14.1.0.13 or later, V14.2 to V14.2.0.10 or later, V14.3 to V14.3.0.7 or later, and V2312 to V2312.0001 or later. As a workaround, users are advised not to open untrusted CGM files in affected applications (Siemens Advisory).