CVE-2021-32936: Siemens JT2Go DXF File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability
First published: Thu Jun 17 2021(Updated: )
An out-of-bounds write issue exists in the DXF file-recovering procedure in the Drawings SDK (All versions prior to 2022.4) resulting from the lack of proper validation of user-supplied data. This can result in a write past the end of an allocated buffer and allow attackers to cause a denial-of-service condition or execute code in the context of the current process.
Credit: ics-cert@hq.dhs.gov
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Opendesign Drawings Sdk | <2022.4 | |
| Siemens COMOS | <10.4.1 | |
| Siemens JT2Go | <13.2.0.1 | |
| Siemens Teamcenter Visualization | <13.2.0.1 | |
| Siemens JT2Go | ||
| Open Design Alliance Drawings SDK | <2022.4 | 2022.4 |
| Open Design Alliance Drawing SDK: Version 2022.4 is affected by CVE-2021-32946 and CVE-2021-32952 | ||
| Siemens JT2Go | <13.2.0.1 | 13.2.0.1 |
| Siemens Teamcenter Visualization | <13.2.0.1 | 13.2.0.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://cert-portal.siemens.com/productcert/pdf/ssa-155599.pdf
- https://cert-portal.siemens.com/productcert/pdf/ssa-365397.pdf
- https://cert-portal.siemens.com/productcert/pdf/ssa-491245.pdf
- https://us-cert.cisa.gov/ics/advisories/icsa-21-159-02
- https://www.zerodayinitiative.com/advisories/ZDI-21-982/
- https://us-cert.cisa.gov/ics/advisories/icsa-21-222-01
- https://www.cisa.gov/news-events/ics-advisories/icsa-21-159-02 (Advisory)
- https://www.cisa.gov/news-events/ics-advisories/icsa-21-222-01 (Advisory)
Frequently Asked Questions
What is the vulnerability ID for this Siemens JT2Go vulnerability?
The vulnerability ID for this Siemens JT2Go vulnerability is CVE-2021-32936.
What is the severity of CVE-2021-32936?
The severity of CVE-2021-32936 is high with a CVSS score of 7.8.
How can the Siemens JT2Go vulnerability be exploited?
The Siemens JT2Go vulnerability can be exploited by remote attackers who can execute arbitrary code on affected installations when a target visits a malicious page or opens a malicious file.
What software versions are affected by CVE-2021-32936?
Siemens JT2Go versions up to exclusive 13.2.0.1 are affected by CVE-2021-32936.
Are there any references or additional information available regarding this vulnerability?
Yes, please refer to the following links for more information: - [CVE-2021-32936 Description](https://cert-portal.siemens.com/productcert/pdf/ssa-155599.pdf) - [CVE-2021-32936 Patch Instructions](https://cert-portal.siemens.com/productcert/pdf/ssa-365397.pdf) - [CVE-2021-32936 Vulnerability Analysis](https://cert-portal.siemens.com/productcert/pdf/ssa-491245.pdf)
- collector/nvd-index
- agent/type
- agent/remedy
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/last-modified-date
- agent/author
- agent/title
- agent/weakness
- agent/first-publish-date
- agent/description
- agent/references
- collector/zdi-advisory
- source/ZDI
- alias/ZDI-21-982
- alias/ZDI-CAN-13408
- alias/CVE-2021-32936
- agent/software-canonical-lookup
- collector/ics-cert-advisory
- source/ICS
- agent/softwarecombine
- agent/tags
- agent/event
- vendor/opendesign
- canonical/opendesign drawings sdk
- vendor/siemens
- canonical/siemens comos
- canonical/siemens jt2go
- canonical/siemens teamcenter visualization
- vendor/open design alliance
- canonical/open design alliance drawings sdk
- canonical/open design alliance drawing sdk: version 2022.4 is affected by cve-2021-32946 and cve-2021-32952