Siemens published a consumer notice on Tuesday 25th of May concerning several serious vulnerabilities impacting its Solid Edge product. The faults are generated using the software of the fourth party, which many other organizations often use.
“The Solid Edge installation package includes a specific version of the third-party product KeyShot from Luxion, which may not contain the latest security fixes provided by Luxion. Siemens recommends updating KeyShot according to the information in the Luxion Security Advisory LSA-394129,” read the advisory released by Siemens.
Security researcher Andrea Micalizzi, who has detected numerous flaws in industrial systems in recent years, also discovered the problems in Siemens Solid Edge last year. The vulnerability problems have been reported by the Zero Day Initiative (ZDI) of Trend Micro and the US Cybersecurity and Infrastructure Security Agency (CISA).
Solid Edge is a software for solid modeling in 3D CAD, parametric and synchronous technology. It operates on Microsoft Windows and offers mechanical engineers solid modeling, assembly modeling, and 2D orthographic viewing functions.
Micalizzi found that five vulnerabilities harm the product, comprising four serious memory corruption flaws which allow remote code implementation and one medium-sized XXE problem that could provide for the exposure of information. The vulnerabilities can indeed be triggered through the processing of malicious CATPart, 3DXML, STP, PRT, or JT files by the potential customer.
A vulnerability-focused study indicated that they were developed by the use of KeyShot, a 3D rendering and animation solution produced by Luxion. More studies indicated that Datakit CrossCad / Ware, a library that KeyShot uses to import different CAD (computer-aided design) files, actually introduces the problems.
CrossCAD /Ware has been used by a wide variety of different products, even though only Siemens, KeyShot, and CISA have published warnings for the issues.
On 12 May, ZDI also published advisories with a “0day” status on each of the vulnerabilities because they were reportedly not patched.
The Zero Day notice read as “This vulnerability allows remote attackers to execute arbitrary code on affected installations of Siemens Solid Edge Viewer. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. A specific flaw exists within the parsing of JT files. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated data structure. An attacker can leverage this vulnerability to execute code in the context of the current process.”
Datakit nevertheless reported that they had resolved the issues in April with version 2021.2 of CrossCAD/Ware. The company has encouraged providers of software to upgrade to version 2021.2 – previous versions are still impacted. The company also proposed to avoid untrusted files from unverified senders to users of impacted applications.
Luxion published KeyShot 10.2, which contains the patched version of the Datakit library, and Siemens has urged users in Solid Edge to upgrade KeyShot according to the security advisory instructions given by Luxion.