Eight vulnerabilities discovered in the Open Design Alliance (ODA) Drawings software development kit (SDK) affect Siemens and presumably other vendors’ products.
ODA is a non-profit company that develops software development kits (SDKs) for engineering applications such as CAD, GIS, building and construction, product lifecycle management (PLM), and the internet of things (IoT). According to the organization’s website, it has 1,200 members globally, and its products are used by big corporations such as Siemens, Microsoft, Bentley, and Epic Games.
ODA’s Drawings SDK, which is designed to provide access to all data in.dwg and.dgn design files, is affected by several vulnerabilities that can be exploited by convincing the targeted user to open a specially crafted file, according to Mat Powell and Brian Gorenc of Trend Micro’s Zero Day Initiative (ZDI).
The weaknesses were uncovered by ZDI researchers in Siemens‘ JT2Go 3D JT viewing tool, however additional investigation indicated that the problems were caused by the Drawings SDK.
According to ODA’s website, the SDK is the “dominant technology for interacting with.dwg files,” with hundreds of organisations using it in thousands of applications. As a result, the flaws are expected to affect a wide range of products, but has yet to see any vendor advisories.
ZDI’s communications manager, Dustin Childs, said the business anticipates Siemens releasing updates soon.
“There may be additional suppliers who are similarly impacted,” Childs told SecurityWeek, “but we’re not sure how many others use the compromised SDK.”
Out-of-bounds, inappropriate check, and use-after-free concerns have been defined as the vulnerabilities, which have been classified high and medium severity. By convincing the intended user to open specially constructed DWG or DGN files with an application that uses the SDK, they can be used to cause a denial of service (DoS) condition, execute arbitrary code, or gather potentially sensitive information.
However, Childs pointed out that an attacker would need to combine one of the code execution flaws with a privilege escalation weakness in order to gain complete control of a system.
These weaknesses are listed on the security advisories area of ODA’s website, but it’s unclear if the company actively alerted customers about the flaws and patch availability – remedies are included in version 2022.5.
ODA has not responded to repeated requests for additional information or comments on these issues.
Companies that utilise the Drawings SDK should update to version 2022.5 or later, according to the US Cybersecurity and Infrastructure Security Agency (CISA).
CISA issued another notice in May for seven identical Drawings SDK vulnerabilities.