Security News > 2021 > June > Vulnerabilities in Open Design Alliance SDK Impact Siemens, Other Vendors
Eight vulnerabilities discovered in the Drawings software development kit made by Open Design Alliance impact products from Siemens and likely other vendors.
Dgn design files, is affected by several vulnerabilities that can be exploited by convincing the targeted user to open a specially crafted file.
The ZDI researchers discovered the flaws in Siemens' JT2Go 3D JT viewing tool, but further analysis revealed that the issues were actually introduced by the use of the Drawings SDK. On its website, ODA describes the SDK as the "Leading technology for working with.dwg files" and says it's used by hundreds of companies in thousands of applications.
This means the vulnerabilities likely impact many other products, but SecurityWeek has not seen any vendor advisories being published to date.
They can be exploited to cause a denial of service condition, execute arbitrary code, or obtain potentially sensitive information by getting the targeted user to open specially crafted DWG or DGN files with an application that uses the SDK. However, Childs noted that in order to be able to take complete control of a system, an attacker would need to chain one of the code execution vulnerabilities with a privilege escalation flaw.
The U.S. Cybersecurity and Infrastructure Security Agency has published an advisory for the vulnerabilities, advising companies that use the Drawings SDK to update it to version 2022.5 or later.