CVE-2021-32944

Vulnerability

A use-after-free vulnerability exists in the DGN file-reading procedure of the Open Design Alliance Drawings SDK. The flaw results from the lack of proper validation of user-supplied data, specifically the failure to verify the existence of an object before performing operations on it [1][2][3]. This occurs during the parsing of DGN files. All versions prior to Drawings SDK 2022.4 are affected [1][2][3]. The same vulnerability is also present in Siemens JT2Go, which incorporates the affected SDK [2][3].

Exploitation

An attacker can exploit this vulnerability by enticing a user to open a malicious DGN file (e.g., via a web page or email attachment) [2][3]. No authentication is required, and the attack complexity is low [1][2][3]. The flaw is triggered within the DGN parsing routine in the context of the current process, allowing the attacker to write past the end of an allocated buffer [1].

Impact

Successful exploitation can lead to memory corruption and arbitrary code execution in the context of the current process [1][2][3]. The attacker gains the ability to execute code with the privileges of the user running the application, potentially leading to full system compromise. Alternatively, exploitation can cause a denial-of-service condition [1]. The CVSS v3 base score is 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) [1][2][3].

Mitigation

Open Design Alliance released a fix in Drawings SDK version 2022.4 [1]. Users should update to this version or later. Siemens JT2Go users should apply the patch provided by Siemens according to their advisory [1][2][3]. No workarounds are described in the available references.