Siemens has issued an advisory regarding a significant vulnerability affecting their Teamcenter Visualization and JT2Go products. The vulnerability, identified as CVE-2023-7066, involves an out-of-bounds read issue. This flaw is present in versions of Siemens JT2Go and Teamcenter Visualization prior to specified updates. It has been assigned a CVSS v3 base score of 7.8, indicating a high level of risk due to its potential for exploitation.
The out-of-bounds read occurs when these applications parse specially crafted PDF files. This can lead to code execution within the context of the current process, posing a serious security threat. The affected versions include various releases of Siemens Teamcenter Visualization, such as V14.1, V14.2, V14.3, and V2312, as well as JT2Go versions prior to V14.3.0.8. The vulnerability’s impact underscores the importance of applying timely updates to mitigate risks.
To address this issue, Siemens recommends that users update their software to the latest versions available. Specific updates include Teamcenter Visualization V14.1.0.14, V14.2.0.10, V14.3.0.8, and V2312.0002, and JT2Go V14.3.0.8. Additionally, users should avoid opening untrusted PDF files in these applications as a precautionary measure. Siemens also advises adhering to general security practices to protect network access and align with their industrial security guidelines.
CISA supports these recommendations and emphasizes minimizing network exposure for control system devices. They also suggest using secure remote access methods like VPNs, though VPNs should be updated to the latest versions. For further guidance, CISA’s webpage offers detailed recommendations and best practices for defending against cyber threats in industrial control systems. No public exploitation of this specific vulnerability has been reported to date.