Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

ICS/OT

Vulnerabilities in Open Design Alliance SDK Impact Siemens, Other Vendors

Eight vulnerabilities discovered in the Drawings software development kit (SDK) made by Open Design Alliance (ODA) impact products from Siemens and likely other vendors.

Eight vulnerabilities discovered in the Drawings software development kit (SDK) made by Open Design Alliance (ODA) impact products from Siemens and likely other vendors.

ODA is a nonprofit organization that creates SDKs for engineering applications, including computer aided design (CAD), geographic information systems (GIS), building and construction, product lifecycle management (PLM), and internet of things (IoT). Its website says the organization has 1,200 member companies worldwide, and its products are used by several major companies, including Siemens, Microsoft, Bentley, and Epic Games.

Mat Powell and Brian Gorenc of Trend Micro’s Zero Day Initiative (ZDI) discovered that ODA’s Drawings SDK, which is designed to provide access to all data in .dwg and .dgn design files, is affected by several vulnerabilities that can be exploited by convincing the targeted user to open a specially crafted file.

The ZDI researchers discovered the flaws in Siemens’ JT2Go 3D JT viewing tool, but further analysis revealed that the issues were actually introduced by the use of the Drawings SDK.

On its website, ODA describes the SDK as the “leading technology for working with .dwg files” and says it’s used by hundreds of companies in thousands of applications. This means the vulnerabilities likely impact many other products, but SecurityWeek has not seen any vendor advisories being published to date.

Dustin Childs, communications manager at ZDI, said the company expects Siemens to release patches soon.

“There may be other vendors similarly impacted, but we’re not sure how many others consume the affected SDK,” Childs told SecurityWeek.

The vulnerabilities, rated high and medium severity, have been described as out-of-bounds, improper check, and use-after-free issues. They can be exploited to cause a denial of service (DoS) condition, execute arbitrary code, or obtain potentially sensitive information by getting the targeted user to open specially crafted DWG or DGN files with an application that uses the SDK.

Advertisement. Scroll to continue reading.

However, Childs noted that in order to be able to take complete control of a system, an attacker would need to chain one of the code execution vulnerabilities with a privilege escalation flaw.

ODA lists these vulnerabilities in the security advisories section of its website, but it’s unclear if it actively informed customers about the flaws and the availability of patches — fixes are included in version 2022.5.

Repeated attempts for additional information and comments from ODA regarding these vulnerabilities were unsuccessful.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has published an advisory for the vulnerabilities, advising companies that use the Drawings SDK to update it to version 2022.5 or later.

Another advisory for seven similar Drawings SDK vulnerabilities was published by CISA in May.

Related: Flaws in Rockwell Software Impact Products From Schneider Electric, GE and Others

Related: Siemens Addresses 60 Vulnerabilities Introduced by Third-Party Components

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.