Eight vulnerabilities discovered in the Drawings software development kit (SDK) made by Open Design Alliance (ODA) impact products from Siemens and likely other vendors.
ODA is a nonprofit organization that creates SDKs for engineering applications, including computer aided design (CAD), geographic information systems (GIS), building and construction, product lifecycle management (PLM), and internet of things (IoT). Its website says the organization has 1,200 member companies worldwide, and its products are used by several major companies, including Siemens, Microsoft, Bentley, and Epic Games.
Mat Powell and Brian Gorenc of Trend Micro’s Zero Day Initiative (ZDI) discovered that ODA’s Drawings SDK, which is designed to provide access to all data in .dwg and .dgn design files, is affected by several vulnerabilities that can be exploited by convincing the targeted user to open a specially crafted file.
The ZDI researchers discovered the flaws in Siemens’ JT2Go 3D JT viewing tool, but further analysis revealed that the issues were actually introduced by the use of the Drawings SDK.
On its website, ODA describes the SDK as the “leading technology for working with .dwg files” and says it’s used by hundreds of companies in thousands of applications. This means the vulnerabilities likely impact many other products, but SecurityWeek has not seen any vendor advisories being published to date.
Dustin Childs, communications manager at ZDI, said the company expects Siemens to release patches soon.
“There may be other vendors similarly impacted, but we’re not sure how many others consume the affected SDK,” Childs told SecurityWeek.
The vulnerabilities, rated high and medium severity, have been described as out-of-bounds, improper check, and use-after-free issues. They can be exploited to cause a denial of service (DoS) condition, execute arbitrary code, or obtain potentially sensitive information by getting the targeted user to open specially crafted DWG or DGN files with an application that uses the SDK.
However, Childs noted that in order to be able to take complete control of a system, an attacker would need to chain one of the code execution vulnerabilities with a privilege escalation flaw.
ODA lists these vulnerabilities in the security advisories section of its website, but it’s unclear if it actively informed customers about the flaws and the availability of patches — fixes are included in version 2022.5.
Repeated attempts for additional information and comments from ODA regarding these vulnerabilities were unsuccessful.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has published an advisory for the vulnerabilities, advising companies that use the Drawings SDK to update it to version 2022.5 or later.
Another advisory for seven similar Drawings SDK vulnerabilities was published by CISA in May.
Related: Flaws in Rockwell Software Impact Products From Schneider Electric, GE and Others
Related: Siemens Addresses 60 Vulnerabilities Introduced by Third-Party Components