Cisco Talos security researchers revealed six critical-severity vulnerabilities in Gerbv, an open source file viewer for printed circuit board (PCB) designs, this week.
Gerbv is a native Linux application that runs on a variety of UNIX platforms and also has a Windows version. Gerbv has been downloaded over a million times from SourceForge.
The software can be used as a standalone application or as a library to read file types that display layers of circuit boards, such as Excellon drill files, RS-274X Gerber files, and pick-n-place files.
“In their web interfaces, several PCB makers employ software like Gerbv to transform Gerber (or other supported) files into pictures. Users can upload gerber files to the manufacturer’s website, which are then converted to an image that can be viewed in the browser, allowing them to double-check that what was provided meets their expectations,” Talos explained.
An attacker can now access the software over the network without requiring user interaction or elevated privileges.
According to the researchers, the identified flaws have an impact on Gerbv’s ability to open Gerber files.
Four of the newly disclosed vulnerabilities have a CVSS score of 10: CVE-2021-40391, CVE-2021-40393, CVE-2021-40394, and CVE-2021-40401. By uploading a specially crafted file to Gerbv, all four vulnerabilities could be exploited.
Two out-of-bounds writes, one integer overflow, and a use-after-free vulnerability could all be exploited to execute code.
Two other critical-severity vulnerabilities, CVE-2021-40400 and CVE-2021-40402, can be used to leak information. By supplying a specially crafted Gerber file, both of these flaws can be exploited.
Cisco Talos researchers also discovered a medium-severity information disclosure vulnerability in Gerbv’s pick-and-place rotation parsing functionality (CVE-2021-40403). According to the researchers, an attacker could leak memory contents by using specially crafted files.
Patches for four of these flaws have been released, according to Talos (three critical- and one medium-severity). Despite the fact that the vendor was notified more than 90 days ago, two of the bugs (CVE-2021-40400 and CVE-2021-40402) remain unpatched.