CVE-2021-32938

Vulnerability

An out-of-bounds read vulnerability exists in Open Design Alliance Drawings SDK versions prior to 2022.4 when parsing specially crafted DWG files. The issue stems from insufficient validation of user-supplied data, leading to a read past the end of an allocated buffer [1][2]. This affects all products that incorporate the SDK, such as Siemens JT2Go [2].

Exploitation

Exploitation requires user interaction: the victim must open a malicious DWG file or visit a page that triggers parsing via an application using the vulnerable SDK [2]. An attacker with local access can craft a DWG file that, when processed, triggers the out-of-bounds read. No authentication is needed, but the user must be tricked into opening the file [1].

Impact

Successful exploitation can cause a denial-of-service condition or allow the attacker to read sensitive information from memory [1]. The ZDI advisory notes that this flaw can be leveraged in conjunction with other vulnerabilities to achieve arbitrary code execution in the context of the current process [2]. The CVSS v3 base score is 4.4 (AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L) per CISA [1].

Mitigation

Upgrade to Drawings SDK version 2022.4 or later, which contains the fix [1]. For users of Siemens JT2Go, apply the vendor-supplied update as recommended in the ZDI advisory [2]. No workarounds are documented. This vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog as of the publication date.