CVE-2024-37996: 
Siemens JT2Go vulnerability analysis and mitigation

A null pointer dereference vulnerability (CVE-2024-37996) has been identified in multiple Siemens software products including JT Open (All versions < V11.5), JT2Go (All versions < V2406.0003), PLM XML SDK (All versions < V7.1.0.014), and various versions of Teamcenter Visualization. The vulnerability was discovered and disclosed by Siemens in July 2024 (Siemens Advisory, CISA Advisory).

The vulnerability occurs while parsing specially crafted XML files, resulting in a null pointer dereference condition. The vulnerability has been assigned a CVSS v3.1 base score of 3.3 (LOW) with vector string AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L, and a CVSS v4.0 base score of 4.8 (MEDIUM) with vector string CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N. The vulnerability is classified as CWE-476: NULL Pointer Dereference (Siemens Advisory).

If successfully exploited, this vulnerability could allow an attacker to crash the application, resulting in a denial of service condition. The impact is limited to availability with no direct effect on confidentiality or integrity of the system (Siemens Advisory).

Siemens has released updates for all affected products and recommends updating to the latest versions: JT Open to V11.5 or later, JT2Go to V2406.0003 or later, PLM XML SDK to V7.1.0.014 or later, and respective latest versions for Teamcenter Visualization products. As a workaround, users are advised not to open untrusted XML files in affected applications. Additionally, Siemens recommends configuring the environment according to their operational guidelines for Industrial Security (Siemens Advisory).