CVE-2023-38073
📋 TL;DR
A type confusion vulnerability in Siemens JT2Go, Teamcenter Visualization, and Tecnomatix Plant Simulation allows remote code execution when parsing malicious WRL files. Attackers can execute arbitrary code with the privileges of the current process. Users of affected versions of these Siemens industrial software products are vulnerable.
💻 Affected Systems
- JT2Go
- Teamcenter Visualization
- Tecnomatix Plant Simulation
📦 What is this software?
Jt2go by Siemens
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise via remote code execution leading to data theft, ransomware deployment, or lateral movement within industrial networks.
Likely Case
Local privilege escalation or targeted attacks via malicious WRL files delivered through phishing or compromised websites.
If Mitigated
Limited impact if proper network segmentation, application whitelisting, and user privilege restrictions are implemented.
🎯 Exploit Status
Exploitation requires user interaction to open a malicious WRL file. No public exploit code is available, but the vulnerability is documented in ZDI-CAN-20826.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: JT2Go V14.3.0.1; Teamcenter Visualization V13.3.0.12; Teamcenter Visualization V14.1.0.11; Teamcenter Visualization V14.2.0.6; Teamcenter Visualization V14.3.0.1; Tecnomatix Plant Simulation V2201.0010; Tecnomatix Plant Simulation V2302.0004
Vendor Advisory: https://cert-portal.siemens.com/productcert/pdf/ssa-278349.pdf
Restart Required: Yes
Instructions:
1. Download the appropriate patch from Siemens support portal. 2. Backup current installation. 3. Install the patch following vendor instructions. 4. Restart the system. 5. Verify the patch is applied correctly.
🔧 Temporary Workarounds
Block WRL file extensions
allPrevent execution of WRL files by blocking the file extension at the endpoint or network level.
Windows: Use Group Policy to block .wrl file execution
Linux: Modify /etc/mime.types to remove WRL associations
Application whitelisting
allRestrict which applications can run WRL files to prevent unauthorized execution.
Windows: Use AppLocker or Windows Defender Application Control
Linux: Use SELinux or AppArmor policies
🧯 If You Can't Patch
- Implement strict network segmentation to isolate affected systems from critical networks.
- Apply principle of least privilege to user accounts running the vulnerable software.
🔍 How to Verify
Check if Vulnerable:
Check the installed version against affected versions list. Open the application and check Help > About or equivalent version information.Check Version:
Windows: Check program properties or registry entries. Linux: Check package manager or application version command.Verify Fix Applied:
Verify the version number matches or exceeds the patched versions listed in the vendor advisory.📡 Detection & Monitoring
Log Indicators:
- Application crashes when opening WRL files
- Unexpected process creation from the affected applications
- Failed file parsing attempts in application logs
Network Indicators:
- Unusual outbound connections from affected systems
- File downloads of WRL files from untrusted sources
SIEM Query:
source="application_logs" AND (process="jt2go.exe" OR process="teamcenter_visualization") AND (event="crash" OR event="file_open" AND file_extension="wrl")