CVE-2021-34315 – This vulnerability allows attackers to execute ... (How to Fix)

Q: What is the severity of CVE-2021-34315?

CVE-2021-34315 has a CVSS score of 7.8 (HIGH). This vulnerability allows attackers to execute arbitrary code by exploiting an out-of-bounds read in the BMP_loader.dll library when parsing malicious SGI files in Siemens JT2Go and Teamcenter Visualization software. Users of these applications with versions below 13.2 are affected. Successful exploitation could lead to complete system compromise.

📋 TL;DR

This vulnerability allows attackers to execute arbitrary code by exploiting an out-of-bounds read in the BMP_loader.dll library when parsing malicious SGI files in Siemens JT2Go and Teamcenter Visualization software. Users of these applications with versions below 13.2 are affected. Successful exploitation could lead to complete system compromise.

💻 Affected Systems

Products:

Siemens JT2Go
Siemens Teamcenter Visualization

Versions: All versions before V13.2

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in the BMP_loader.dll library when processing SGI image files. Both applications share this vulnerable component.

📦 What is this software?

Jt2go by Siemens

View all CVEs affecting Jt2go →

Teamcenter Visualization by Siemens

View all CVEs affecting Teamcenter Visualization →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution with SYSTEM/root privileges leading to complete system takeover, data exfiltration, and lateral movement within the network.

🟠

Likely Case

Local privilege escalation or remote code execution in the context of the current user, potentially leading to malware installation or data theft.

🟢

If Mitigated

Denial of service or application crash if exploit fails or is blocked by security controls.

🌐 Internet-Facing: MEDIUM - Requires user interaction to open malicious SGI files, but could be delivered via web downloads or email attachments.

🏢 Internal Only: HIGH - Internal users could be tricked into opening malicious files, and successful exploitation could enable lateral movement within the network.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires user interaction to open a malicious SGI file. The vulnerability is an out-of-bounds read that could lead to code execution, but crafting a reliable exploit requires specific knowledge of memory layout.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: V13.2 or later

Vendor Advisory: https://cert-portal.siemens.com/productcert/pdf/ssa-483182.pdf

Restart Required: Yes

Instructions:

1. Download and install JT2Go V13.2 or later from Siemens support portal. 2. Download and install Teamcenter Visualization V13.2 or later from Siemens support portal. 3. Restart affected systems after installation.

🔧 Temporary Workarounds

Block SGI file extensions

windows

Prevent opening of SGI files by blocking the file extension at the system or network level.

Windows Group Policy: Computer Configuration > Policies > Windows Settings > Security Settings > Software Restriction Policies > Additional Rules > New Path Rule: Path: *.sgi, Security Level: Disallowed

Disable BMP_loader.dll for SGI files

windows

Remove or rename the BMP_loader.dll file to prevent SGI file parsing (may affect other functionality).

rename "C:\Program Files\Siemens\JT2Go\BMP_loader.dll" "BMP_loader.dll.bak"
rename "C:\Program Files\Siemens\Teamcenter Visualization\BMP_loader.dll" "BMP_loader.dll.bak"

🧯 If You Can't Patch

Restrict user permissions to prevent execution of untrusted SGI files.
Implement application whitelisting to block unauthorized execution of JT2Go and Teamcenter Visualization.

🔍 How to Verify

Check if Vulnerable:

Check application version in Help > About menu. If version is below 13.2, the system is vulnerable.

Check Version:

wmic product where "name like '%JT2Go%' or name like '%Teamcenter Visualization%'" get name, version

Verify Fix Applied:

Verify version is 13.2 or higher in Help > About menu and test opening legitimate SGI files to ensure functionality.

📡 Detection & Monitoring

Log Indicators:

Application crashes with access violation errors in BMP_loader.dll
Windows Event Logs: Application Error events for JT2Go.exe or Teamcenter Visualization processes

Network Indicators:

Downloads of SGI files from untrusted sources
Unusual outbound connections from JT2Go/Teamcenter Visualization processes

SIEM Query:

source="windows" AND (event_id=1000 OR event_id=1001) AND process_name IN ("JT2Go.exe", "Teamcenter Visualization") AND module_name="BMP_loader.dll"

📊 Metadata

CVE ID: CVE-2021-34315

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-125

Published: July 13, 2021

Last Updated: November 21, 2024

🔗 References

https://cert-portal.siemens.com/productcert/pdf/ssa-483182.pdf Vendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-21-844/ Third Party Advisory
https://cert-portal.siemens.com/productcert/pdf/ssa-483182.pdf Vendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-21-844/ Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-34315, you might also want to check these: