CVE-2024-41902: 
Siemens JT2Go vulnerability analysis and mitigation

A stack-based buffer overflow vulnerability (CVE-2024-41902) has been identified in JT2Go, a 3D viewing tool, affecting all versions prior to V2406.0003. The vulnerability was discovered and reported by Michael Heinzl to Siemens, with initial disclosure on October 8, 2024. The affected software, JT2Go, is used to view JT, PDF, Solid Edge, PLM XML with available JT, VFZ, CGM, and TIF data (Siemens Advisory).

The vulnerability is classified as a stack-based buffer overflow (CWE-121) that can be triggered while parsing specially crafted PDF files. It has received a CVSS v3.1 base score of 7.8 (HIGH) with the vector string AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, and a CVSS v4.0 base score of 7.3 with the vector string CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N (CISA Advisory, Siemens Advisory).

Successful exploitation of this vulnerability could allow an attacker to execute code in the context of the current process. The vulnerability affects confidentiality, integrity, and availability of the system, as indicated by the high impact scores across all three categories in the CVSS rating (CISA Advisory).

Siemens has released version V2406.0003 as a fix and recommends updating to this or a later version. Additionally, two workarounds have been identified: 1) Do not open untrusted PDF files in affected applications, and 2) Remove the PDFJTExtractor.exe from the installation in the affected application. As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms and configuring the environment according to Siemens' operational guidelines for Industrial Security (Siemens Advisory).