Security Experts:

Connect with us

Hi, what are you looking for?



Vulnerabilities in Open Design Alliance SDK Impact Siemens, Other Vendors

Eight vulnerabilities discovered in the Drawings software development kit (SDK) made by Open Design Alliance (ODA) impact products from Siemens and likely other vendors.

Eight vulnerabilities discovered in the Drawings software development kit (SDK) made by Open Design Alliance (ODA) impact products from Siemens and likely other vendors.

ODA is a nonprofit organization that creates SDKs for engineering applications, including computer aided design (CAD), geographic information systems (GIS), building and construction, product lifecycle management (PLM), and internet of things (IoT). Its website says the organization has 1,200 member companies worldwide, and its products are used by several major companies, including Siemens, Microsoft, Bentley, and Epic Games.

Mat Powell and Brian Gorenc of Trend Micro’s Zero Day Initiative (ZDI) discovered that ODA’s Drawings SDK, which is designed to provide access to all data in .dwg and .dgn design files, is affected by several vulnerabilities that can be exploited by convincing the targeted user to open a specially crafted file.

The ZDI researchers discovered the flaws in Siemens’ JT2Go 3D JT viewing tool, but further analysis revealed that the issues were actually introduced by the use of the Drawings SDK.

On its website, ODA describes the SDK as the “leading technology for working with .dwg files” and says it’s used by hundreds of companies in thousands of applications. This means the vulnerabilities likely impact many other products, but SecurityWeek has not seen any vendor advisories being published to date.

Dustin Childs, communications manager at ZDI, said the company expects Siemens to release patches soon.

“There may be other vendors similarly impacted, but we’re not sure how many others consume the affected SDK,” Childs told SecurityWeek.

The vulnerabilities, rated high and medium severity, have been described as out-of-bounds, improper check, and use-after-free issues. They can be exploited to cause a denial of service (DoS) condition, execute arbitrary code, or obtain potentially sensitive information by getting the targeted user to open specially crafted DWG or DGN files with an application that uses the SDK.

However, Childs noted that in order to be able to take complete control of a system, an attacker would need to chain one of the code execution vulnerabilities with a privilege escalation flaw.

ODA lists these vulnerabilities in the security advisories section of its website, but it’s unclear if it actively informed customers about the flaws and the availability of patches — fixes are included in version 2022.5.

Repeated attempts for additional information and comments from ODA regarding these vulnerabilities were unsuccessful.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has published an advisory for the vulnerabilities, advising companies that use the Drawings SDK to update it to version 2022.5 or later.

Another advisory for seven similar Drawings SDK vulnerabilities was published by CISA in May.

Related: Flaws in Rockwell Software Impact Products From Schneider Electric, GE and Others

Related: Siemens Addresses 60 Vulnerabilities Introduced by Third-Party Components

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...