CVE-2023-38075
📋 TL;DR
This CVE describes a use-after-free vulnerability in Siemens JT2Go, Teamcenter Visualization, and Tecnomatix Plant Simulation software. Attackers can exploit it by tricking users into opening malicious WRL files, potentially leading to arbitrary code execution. Organizations using these Siemens products for CAD/CAM/PLM workflows are affected.
💻 Affected Systems
- JT2Go
- Teamcenter Visualization
- Tecnomatix Plant Simulation
📦 What is this software?
Jt2go by Siemens
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution with the privileges of the user running the vulnerable application, potentially leading to full system compromise, data theft, or lateral movement within the network.
Likely Case
Local privilege escalation or arbitrary code execution when a user opens a malicious WRL file, potentially leading to malware installation or data exfiltration.
If Mitigated
Limited impact if proper application whitelisting, file type restrictions, and user privilege limitations are in place.
🎯 Exploit Status
Exploitation requires social engineering to deliver malicious WRL files and user interaction to open them. No public exploit code is currently available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: JT2Go V14.3.0.1; Teamcenter Visualization V13.3.0.12; Teamcenter Visualization V14.1.0.11; Teamcenter Visualization V14.2.0.6; Teamcenter Visualization V14.3.0.1; Tecnomatix Plant Simulation V2201.0010; Tecnomatix Plant Simulation V2302.0004
Vendor Advisory: https://cert-portal.siemens.com/productcert/pdf/ssa-278349.pdf
Restart Required: Yes
Instructions:
1. Download the appropriate patch from Siemens Support Center. 2. Close all affected applications. 3. Install the patch with administrative privileges. 4. Restart the system. 5. Verify the updated version is installed.
🔧 Temporary Workarounds
Block WRL file extensions
windowsPrevent execution of WRL files through Group Policy or application control.
Group Policy: Computer Configuration > Policies > Windows Settings > Security Settings > Software Restriction Policies > Additional Rules > New Path Rule: Path: *.wrl, Security Level: Disallowed
Disable WRL file association
windowsRemove the association between WRL files and vulnerable applications.
reg delete "HKEY_CLASSES_ROOT\.wrl" /f
reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wrl" /f
🧯 If You Can't Patch
- Implement application whitelisting to restrict execution to trusted applications only.
- Train users to never open WRL files from untrusted sources and implement email filtering for suspicious attachments.
🔍 How to Verify
Check if Vulnerable:
Check the installed version of affected Siemens software against the vulnerable version ranges listed in the affected_systems section.Check Version:
For JT2Go: Check Help > About; For Teamcenter Visualization: Check Help > About; For Tecnomatix Plant Simulation: Check Help > AboutVerify Fix Applied:
Verify the software version matches or exceeds the patched versions listed in fix_official.patch_version.📡 Detection & Monitoring
Log Indicators:
- Application crashes when opening WRL files
- Unexpected process creation from vulnerable applications
- Security event logs showing blocked execution attempts if application control is enabled
Network Indicators:
- Unusual outbound connections from engineering workstations
- File transfers of WRL files from untrusted sources
SIEM Query:
EventID=4688 AND (NewProcessName LIKE '%jt2go%' OR NewProcessName LIKE '%vis%') AND ParentProcessName LIKE '%explorer%' AND CommandLine LIKE '%.wrl%'