CVE-2021-32936

Vulnerability

CVE-2021-32936 is an out-of-bounds write vulnerability in the DXF file-recovering procedure of the Open Design Alliance Drawings SDK. All versions prior to 2022.4 are affected. The issue stems from a lack of proper validation of user-supplied data when processing DXF files, leading to a write past the end of an allocated buffer [1]. Siemens JT2Go, which uses the Drawings SDK, is also affected [2].

Exploitation

An attacker can trigger this vulnerability by convincing a target to open a specially crafted DXF file, either by visiting a malicious page or opening a malicious file. No authentication or elevated privileges are required, but user interaction is necessary. The attack complexity is low [1][2].

Impact

Successful exploitation allows an attacker to cause a denial-of-service condition or execute arbitrary code in the context of the current process. This could lead to a full compromise of confidentiality, integrity, and availability (CVSS v3.1 base score 7.8, vector AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) [1][2].

Mitigation

Open Design Alliance has released version 2022.4 which addresses this vulnerability. No workarounds are listed in the available references. For Siemens JT2Go, users should apply the latest updates provided by Siemens [1][2].