Siemens Patches 21 Vulnerabilities in 2 ToolsFlaws, If Exploited, Could Enable Remote Control, Data Exfiltration
Siemens has mitigated 21 vulnerabilities in two of its virtualization software tools that, if exploited, could enable attackers to gain remote control, exfiltrate data or cause systems to crash. It's urging customers to shift to updated versions of the software that fix the flaws.
In a patch update on Thursday, Siemens notes that the flaws, dubbed SSA-663999, are file parsing vulnerabilities that affect JT2Go, a 3D viewing tool, and Teamcenter, an enterprise visualization tool, in versions earlier than V220.127.116.11. The flaws come into play when the tools read files in formats such as PAR, BMP and TIFF, among others.
"If a user is tricked into opening a malicious file with the affected products, this could lead to an application crash or potentially arbitrary code execution or data extraction on the target host system," Siemens says.
In addition to implementing the updated versions of the software, Siemens advises users to limit the opening of untrusted files from unknown sources in the affected products to help prevent attacks.
All the vulnerabilities that were disclosed by Siemens have a CVSS rank of 7.8, or highly vulnerable. Among the flaws are:
- CVE-2020-26998: This vulnerability is caused by improper validation of user data while parsing PAR files. It could lead to memory access and data leaks.
- CVE-2020-27000: This vulnerability, which arises from parsing BMP files, could enable attackers to perform remote code execution.
- CVE-2020-27001: This is a stack-based buffer overflow caused by parsing of PAR files that could lead to remote code execution.
- CVE-2020-27003: This flaw is caused by parsing of TIFF files. It, too, could lead to remote code execution.
Many of the vulnerabilities disclosed by Siemens are linked to the use of Open Design Alliance software development kits. The alliance has released details of the issues involved.
"Depending on the method used (to exploit parsing flaws) an attacker could for example trigger a stack based buffer overflow, cause memory corruption or execute code to affect processes in a wider context to disrupt operations through access to sensitive process data," Mike Loginov, author and global CISO, told ISMG.
He adds: "Exploitation typically requires tricking a user to open a malicious file with the affected products, this could lead to application crash, or potentially code execution or data extraction on the target host system."
Earlier, other vulnerabilities were identified in some Siemens products.
In January, Trend Micro's Zero Day Initiative identified a parsing vulnerability in JT2Go that enabled remote code execution.
In 2019, security firm Tenable uncovered a vulnerability in a Siemens software platform that helps maintain industrial control systems for large critical infrastructure facilities, such as nuclear power plants (see: Researchers Disclose Vulnerability in Siemens' ICS Software).
Tenable said that vulnerability was in the same Siemens software platform used by the originators of Stuxnet to help spread malware in Iran's nuclear facilities a decade ago.
In 2017, the Department of Homeland Security warned about vulnerabilities in certain Siemens medical imaging products running Windows 7 that could enable hackers to remotely execute arbitrary code (see: Some Siemens Medical Imaging Devices Vulnerable to Hackers).
Craig Young, principal security researcher at security firm Tripwire notes parsing vulnerabilities are a common attack vector for threat actors as they allows the attackers to access complex construction code. "This type of flaw tends to arise when developers fail to consider malformed data test cases and ultimately make miscalculations when handling objects in memory. Stuxnet famously leveraged several 0-day exploits including within Microsoft Windows shortcut (LNK) parsing functions."