Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Critical Vulnerabilities Impact Widely Used Printed Circuit Board File Viewer

Security researchers with Cisco’s Talos division this week disclosed six critical-severity vulnerabilities affecting Gerbv, an open source file viewer for printed circuit board (PCB) designs.

Security researchers with Cisco’s Talos division this week disclosed six critical-severity vulnerabilities affecting Gerbv, an open source file viewer for printed circuit board (PCB) designs.

A native Linux application, Gerbv is found on many common UNIX platforms, with a Windows version available as well. Gerbv has been downloaded from SourceForge more than 1 million times.

The software is designed for viewing file formats that display layers of circuit boards, including Excellon drill files, RS-274X Gerber files, and pick-n-place files, and can be used either as a standalone application, or as a library.

“Some PCB manufacturers use software like Gerbv in their web interfaces as a tool to convert Gerber (or other supported) files into images. Users can upload gerber files to the manufacturer website, which are converted to an image to be displayed in the browser, so that users can verify that what has been uploaded matches their expectations,” Talos explained.

This makes it possible for an attacker to reach the software over the network without user interaction or elevated privileges.

The identified vulnerabilities, the researchers explain, impact the function that Gerbv employs when opening Gerber files.

[ READ: Critical Vulnerabilities Found in Sealevel Device Used in ICS Environments ]

Four of the newly disclosed vulnerabilities – tracked as CVE-2021-40391, CVE-2021-40393, CVE-2021-40394, and CVE-2021-40401 – have a CVSS score of 10. All four could be exploited by uploading a specially crafted file to Gerbv.

Advertisement. Scroll to continue reading.

The security holes (two out-of-bounds write, one integer overflow, and a use-after-free) could be exploited to achieve code execution.

Two other critical-severity vulnerabilities – tracked as CVE-2021-40400 and CVE-2021-40402 – can be exploited to leak data. Both can be exploited by supplying a specially-crafted Gerber file.

Cisco’s Talos researchers also identified a medium-severity information disclosure vulnerability (CVE-2021-40403) that impacts the pick-and-place rotation parsing functionality of Gerbv. Using specially-crafted files, an attacker could leak memory contents, the researchers say.

According to Talos, patches have been released for four of these vulnerabilities (three critical- and one medium-severity). Two of the bugs (CVE-2021-40400 and CVE-2021-40402) remain unpatched although more than 90 days have passed since the vendor was notified.

Related: Moxa MXview Vulnerabilities Expose Industrial Networks to Attacks

Related: Trend Micro Patches Vulnerabilities in Home Network Security Devices

Related: Cisco Discloses Details of Critical Advantech Router Tool Vulnerabilities

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.