Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Critical Vulnerabilities Impact Widely Used Printed Circuit Board File Viewer

Security researchers with Cisco’s Talos division this week disclosed six critical-severity vulnerabilities affecting Gerbv, an open source file viewer for printed circuit board (PCB) designs.

Security researchers with Cisco’s Talos division this week disclosed six critical-severity vulnerabilities affecting Gerbv, an open source file viewer for printed circuit board (PCB) designs.

A native Linux application, Gerbv is found on many common UNIX platforms, with a Windows version available as well. Gerbv has been downloaded from SourceForge more than 1 million times.

The software is designed for viewing file formats that display layers of circuit boards, including Excellon drill files, RS-274X Gerber files, and pick-n-place files, and can be used either as a standalone application, or as a library.

“Some PCB manufacturers use software like Gerbv in their web interfaces as a tool to convert Gerber (or other supported) files into images. Users can upload gerber files to the manufacturer website, which are converted to an image to be displayed in the browser, so that users can verify that what has been uploaded matches their expectations,” Talos explained.

This makes it possible for an attacker to reach the software over the network without user interaction or elevated privileges.

The identified vulnerabilities, the researchers explain, impact the function that Gerbv employs when opening Gerber files.

Advertisement. Scroll to continue reading.

[ READ: Critical Vulnerabilities Found in Sealevel Device Used in ICS Environments ]

Four of the newly disclosed vulnerabilities – tracked as CVE-2021-40391, CVE-2021-40393, CVE-2021-40394, and CVE-2021-40401 – have a CVSS score of 10. All four could be exploited by uploading a specially crafted file to Gerbv.

The security holes (two out-of-bounds write, one integer overflow, and a use-after-free) could be exploited to achieve code execution.

Two other critical-severity vulnerabilities – tracked as CVE-2021-40400 and CVE-2021-40402 – can be exploited to leak data. Both can be exploited by supplying a specially-crafted Gerber file.

Cisco’s Talos researchers also identified a medium-severity information disclosure vulnerability (CVE-2021-40403) that impacts the pick-and-place rotation parsing functionality of Gerbv. Using specially-crafted files, an attacker could leak memory contents, the researchers say.

According to Talos, patches have been released for four of these vulnerabilities (three critical- and one medium-severity). Two of the bugs (CVE-2021-40400 and CVE-2021-40402) remain unpatched although more than 90 days have passed since the vendor was notified.

Related: Moxa MXview Vulnerabilities Expose Industrial Networks to Attacks

Related: Trend Micro Patches Vulnerabilities in Home Network Security Devices

Related: Cisco Discloses Details of Critical Advantech Router Tool Vulnerabilities

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more.

Register

This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments.

Register

People on the Move

James Phillips has been promoted to the role of Vice President, Cybersecurity Risk Management at AT&T.

Rafal Los has joined Binary Defense as Chief Strategy Officer.

Tracey Mustacchio has joined Everfox as Chief Marketing Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.