PatchSiren cyber security CVE debrief

CVE-2024-26277 Siemens CVE debrief

A null pointer dereference vulnerability exists in Siemens JT2Go and Teamcenter Visualization products when parsing specially crafted X_T files. An attacker can exploit this flaw to crash the application, resulting in a denial of service condition. The vulnerability requires local access and user interaction, with a CVSS 3.1 score of 3.3 (Low severity). Siemens has released patched versions for all affected product lines.

Vendor: Siemens
Product: JT2Go
CVSS: LOW 3.3
CISA KEV: Not listed in stored evidence
Original CVE published: 2024-04-09
Original CVE updated: 2024-04-09
Advisory published: 2024-04-09
Advisory updated: 2024-04-09

Who should care

Organizations using Siemens JT2Go or Teamcenter Visualization for CAD file review and collaboration, particularly in industrial and manufacturing environments where X_T file exchange is common.

Technical summary

The vulnerability stems from improper null pointer handling during parsing of X_T (Parasolid text format) files in Siemens visualization software. When a malformed X_T file is processed, the application dereferences a null pointer, causing an immediate crash. This is a local attack vector requiring user interaction to open a malicious file. The crash results in loss of availability for the application but does not provide confidentiality or integrity impacts.

Defensive priority

routine

Recommended defensive actions

Update JT2Go to V2312.0004 or later
Update Teamcenter Visualization V14.2 to V14.2.0.12 or later
Update Teamcenter Visualization V14.3 to V14.3.0.9 or later
Update Teamcenter Visualization V2312 to V2312.0004 or later
Avoid opening untrusted X_T files in affected applications until patches are applied

Evidence notes

Vulnerability disclosed via CISA ICS advisory ICSA-24-165-08 on 2024-06-11. Advisory updated 2024-08-13 to add fix version for Teamcenter Visualization V14.2.0.12. Vendor fix versions confirmed in CSAF remediation data.

Official resources

2024-06-11