Security researchers with Cisco’s Talos division this week disclosed six critical-severity vulnerabilities affecting Gerbv, an open source file viewer for printed circuit board (PCB) designs.
A native Linux application, Gerbv is found on many common UNIX platforms, with a Windows version available as well. Gerbv has been downloaded from SourceForge more than 1 million times.
The software is designed for viewing file formats that display layers of circuit boards, including Excellon drill files, RS-274X Gerber files, and pick-n-place files, and can be used either as a standalone application, or as a library.
“Some PCB manufacturers use software like Gerbv in their web interfaces as a tool to convert Gerber (or other supported) files into images. Users can upload gerber files to the manufacturer website, which are converted to an image to be displayed in the browser, so that users can verify that what has been uploaded matches their expectations,” Talos explained.
This makes it possible for an attacker to reach the software over the network without user interaction or elevated privileges.
The identified vulnerabilities, the researchers explain, impact the function that Gerbv employs when opening Gerber files.
Four of the newly disclosed vulnerabilities – tracked as CVE-2021-40391, CVE-2021-40393, CVE-2021-40394, and CVE-2021-40401 – have a CVSS score of 10. All four could be exploited by uploading a specially crafted file to Gerbv.
The security holes (two out-of-bounds write, one integer overflow, and a use-after-free) could be exploited to achieve code execution.
Two other critical-severity vulnerabilities – tracked as CVE-2021-40400 and CVE-2021-40402 – can be exploited to leak data. Both can be exploited by supplying a specially-crafted Gerber file.
Cisco’s Talos researchers also identified a medium-severity information disclosure vulnerability (CVE-2021-40403) that impacts the pick-and-place rotation parsing functionality of Gerbv. Using specially-crafted files, an attacker could leak memory contents, the researchers say.
According to Talos, patches have been released for four of these vulnerabilities (three critical- and one medium-severity). Two of the bugs (CVE-2021-40400 and CVE-2021-40402) remain unpatched although more than 90 days have passed since the vendor was notified.