Siemens on Tuesday released an advisory to inform customers about several high-severity vulnerabilities affecting its Solid Edge product. The flaws are introduced by fourth-party software that is also used by many other organizations.
The vulnerabilities were discovered in Siemens Solid Edge last year by security researcher Andrea Micalizzi (aka rgod), who has identified many vulnerabilities in industrial systems over the past years. The security holes were reported through Trend Micro’s Zero Day Initiative (ZDI) and the U.S. Cybersecurity and Infrastructure Security Agency (CISA).
Solid Edge is a product development solution that includes tools for 3D design, simulation, manufacturing and design management.
Micalizzi discovered that the product is affected by five vulnerabilities, including four high-severity memory corruption issues that allow remote code execution, and one medium-severity XXE bug that can lead to information disclosure. The vulnerabilities can be exploited by tricking the targeted user into processing malicious CATPart, 3DXML, STP, PRT, or JT files.
An analysis of the vulnerabilities revealed that they are introduced by the use of KeyShot, a 3D rendering and animation solution made by Luxion. Further analysis showed that the flaws are actually introduced by Datakit CrossCad/Ware, a library used by KeyShot for importing various CAD (computer-aided design) formats.
While to date it appears that only Siemens, KeyShot and CISA have released advisories for these vulnerabilities, CrossCad/Ware is used by many other products and they could all be vulnerable. On its website, France-based Datakit, which specializes in CAD data exchange solutions, says it collaborates as an OEM with more than 100 vendors, including many in North America and the APAC region.
ZDI published advisories for each of the vulnerabilities on May 12 with a “0day” status since they had apparently not been patched.
However, Datakit said it patched the flaws with the release of CrossCAD/Ware version 2021.2 in April. Datakit has advised software vendors to upgrade to version 2021.2 or later — earlier releases are still affected. The company also recommended that users of impacted applications avoid opening untrusted files from unknown sources.
Luxion has released KeyShot 10.2, which includes the patched version of the Datakit library, and Siemens has advised Solid Edge customers to update KeyShot as instructed in Luxion’s security advisory.
Datakit told SecurityWeek that it will release a statement soon.