Eight vulnerabilities discovered in the Drawings software development kit (SDK) made by Open Design Alliance (ODA) impact products from Siemens and likely other vendors.
ODA is a nonprofit organization that creates SDKs for engineering applications, including computer aided design (CAD), geographic information systems (GIS), building and construction, product lifecycle management (PLM), and internet of things (IoT). Its website says the organization has 1,200 member companies worldwide, and its products are used by several major companies, including Siemens, Microsoft, Bentley, and Epic Games.
Mat Powell and Brian Gorenc of Trend Micro’s Zero Day Initiative (ZDI) discovered that ODA’s Drawings SDK, which is designed to provide access to all data in .dwg and .dgn design files, is affected by several vulnerabilities that can be exploited by convincing the targeted user to open a specially crafted file.
The ZDI researchers discovered the flaws in Siemens’ JT2Go 3D JT viewing tool, but further analysis revealed that the issues were actually introduced by the use of the Drawings SDK.
On its website, ODA describes the SDK as the “leading technology for working with .dwg files” and says it’s used by hundreds of companies in thousands of applications. This means the vulnerabilities likely impact many other products, but SecurityWeek has not seen any vendor advisories being published to date.
Dustin Childs, communications manager at ZDI, said the company expects Siemens to release patches soon.
“There may be other vendors similarly impacted, but we’re not sure how many others consume the affected SDK,” Childs told SecurityWeek.
The vulnerabilities, rated high and medium severity, have been described as out-of-bounds, improper check, and use-after-free issues. They can be exploited to cause a denial of service (DoS) condition, execute arbitrary code, or obtain potentia ..
Support the originator by clicking the read the rest link below.
