Critical vulnerabilties in Open Design Alliance Drawings SDK affects 1,200 companies like Siemens, Microsoft, Bentley and Epic Games

Cybersecurity specialists reported the finding of multiple vulnerabilities in Drawings SDK, a development toolkit for accessing.dwg and .dgn data through an API developed by the Open Design Alliance. According to the report, successful exploitation of these flaws would allow threat actors to trigger use-after-free, out-of-bounds read and write conditions and other risk scenarios.

Below are brief descriptions of the reported flaws, in addition to their respective identification keys and scores according to the Common Vulnerability Scoring System (CVSS).

CVE-2021-32938: The lack of proper validation of user input would allow the deployment of an out-of-bounds read condition, which in turn would trigger a denial of service (DoS) condition.

This vulnerability received a CVSS score of 4.4/10.

CVE-2021-32936: This flaw was described as an out-of-bounds write issue in the DXF file retrieval procedure that exists due to insufficient validation of user input.

The vulnerability received a CVSS score of 7.8/10 and its exploitation would allow the deployment of a DoS condition.

CVE-2021-32940: Out-of-bounds read flaw in DWG file retrieval procedure as a result of lack of proper validation of user input. The flaw received a CVSS score of 4.4/10 and its exploitation would allow a DoS attack to be deployed. 

CVE-2021-32946: Incorrect verification of unusual conditions in DGN files results in lack of proper validation of user input.

The vulnerability received a CVSS score of 7.8/10 and its exploitation would allow the deployment of a DoS attack or code execution in ongoing processes. 

CVE-2021-32948: An out-of-bounds write flaw in the DWG file reading procedure results in insufficient validation of user input. This flaw received a score of 7.8/10.

CVE-2021-32950: An out-of-bounds write issue in the DGN file read procedure can result in a write beyond the end of an allocated buffer and allow attackers to cause a DoS condition. 

The flaw received a CVSS score of 7.8/10.

CVE-2021-32952: A use-after-free flaw in the DGN file reading procedure can result in the absence of proper validation of user input. Threat actors could trigger a memory corruption condition or arbitrary code execution.

The flaw received a CVSS score of 7.8/10 and its successful exploitation would allow malicious hackers to deploy DoS conditions.

The flaws were reported by the Zero Day Initiative (ZDI) researchers Mat Powel and Brian Gorenc through the Cybersecurity and Infrastructure Security Agency (CISA).

To mitigate the risk of exploitation of these flaws, the Open Design Alliance recommends upgrading to v2022.5 or later. Remember that the upgrade process requires login and ODA membership. A list of additional security recommendations can be found in the report of these flaws published by CISA.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.