CVE-2022-41663 - Exploiting Use-After-Free in Siemens JT2Go and Teamcenter Visualization via Malicious CGM Files

In October 2022, Siemens disclosed a serious vulnerability, tracked as CVE-2022-41663, that affects their industrial 3D visualization products — JT2Go and several Teamcenter Visualization versions. This post will walk you through the technical details, the impact, and even show you what an exploit might look like, all in straightforward language.

Teamcenter Visualization V14.1 (All versions before V14.1..4)

All these products are widely used in manufacturing, engineering, and product lifecycle management for viewing and interacting with complex 3D models and diagrams.

Vulnerability Overview

The glitch lies in how these programs parse Computer Graphics Metafiles (CGM files). If the program processes a specially crafted or malicious CGM file, it can free memory and then later still try to access it — this is what's called a *use-after-free vulnerability*.

But maybe someone else picked up your old address and changed what’s at that spot!

Attackers love this situation because, if timed right, they can trick the program into running their own code.

Exploitation Details

An attacker could create a CGM file that exploits this bug. All they'd need is a way to convince you (or your system) to open this corrupted file in one of the Siemens programs. As soon as the file is loaded, malicious code bundled within the crafted CGM file could run on your computer — inheriting the same permissions as the app (usually the logged-in user).

Proof of Concept (PoC) – Example CGM Code

Below is a *simplified* and conceptual example to show what an attacker might do. The real attack would need deeper knowledge of the program's memory management, but this gives the idea.

Sample Malicious CGM Snippet

% Begin CGM
BEGMF "CVE202241663"
MFVERSION 1
MFEFONTLIST 1 "ExploitFont"
...
% Insert malformed or repeated elements that trigger reallocation/freeing
EDGEVIS 1
EDGEVIS 
EDGEVIS 1
% ...more manipulations
ENDMF

The above isn't directly weaponized, but by exploiting edge cases and malformed records, an attacker could trigger the use-after-free bug. In a real scenario, shellcode would be included to execute arbitrary actions.

This is how a vulnerable function might look inside the application

void parseElement(Element *elem) {
    free(elem->pointer);    // Frees memory too early
    
    if(elem->hasData) {
        processData(elem->pointer); // Dangerous! Still accessing freed pointer
    }
}

Impact and Severity

- Base CVSS Score: 7.8 HIGH

Fixes and Updates

- Siemens has provided patched versions, available from their advisory page.

References and More Information

- Siemens Security Advisory SSA-845300 (PDF)
- MITRE CVE Entry
- US-CERT Advisory

Conclusion

CVE-2022-41663 is a prime example of how dangerous parsing bugs can be — especially in specialized industry software. If you use Siemens JT2Go or Teamcenter Visualization, upgrading is not optional. Handle CGM files like you would executable programs: never open them unless you know where they come from.

Stay patched, stay safe!

*Written exclusively for you. Please refer directly to Siemens Security Notices for ongoing updates.*

Timeline

Published on: 11/08/2022 11:15:00 UTC
Last modified on: 11/08/2022 16:29:00 UTC