CVE-2021-22643: Siemens Solid Edge Viewer 3DS File Parsing Out-Of-Bounds Read Remote Code Execution Vulnerability
First published: Tue Feb 23 2021(Updated: )
Luxion KeyShot versions prior to 10.1, Luxion KeyShot Viewer versions prior to 10.1, Luxion KeyShot Network Rendering versions prior to 10.1, and Luxion KeyVR versions prior to 10.1 are vulnerable to an out-of-bounds read while processing project files, which may allow an attacker to execute arbitrary code.
Credit: ics-cert@hq.dhs.gov
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Luxion KeyShot | <10.1 | |
| Luxion KeyShot Network Rendering | <10.1 | |
| Luxion KeyShot Viewer | <10.1 | |
| Luxion KeyVR | <10.1 | |
| Siemens Solid Edge Se2020 Firmware | ||
| Siemens Solid Edge Viewer | ||
| Siemens Solid Edge Se2021 Firmware | ||
| Siemens Solid Edge Se2021 | ||
| Siemens Solid Edge Viewer | ||
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://cert-portal.siemens.com/productcert/pdf/ssa-231216.pdf
- https://us-cert.cisa.gov/ics/advisories/icsa-21-035-01
- https://www.zerodayinitiative.com/advisories/ZDI-21-316/
- https://www.zerodayinitiative.com/advisories/ZDI-21-319/
- https://www.cisa.gov/news-events/ics-advisories/icsa-21-035-01 (Advisory)
Frequently Asked Questions
What is CVE-2021-22643?
CVE-2021-22643 is a vulnerability that allows remote attackers to execute arbitrary code on affected installations of Siemens Solid Edge Viewer.
How can this vulnerability be exploited?
This vulnerability can be exploited when the target visits a malicious page or opens a malicious file.
What is the severity of CVE-2021-22643?
The severity of CVE-2021-22643 is high with a CVSS score of 7.8.
Which software are affected by CVE-2021-22643?
Siemens Solid Edge Viewer, Luxion KeyShot, Luxion KeyShot Network Rendering, Luxion KeyShot Viewer, Luxion KeyVR, Siemens Solid Edge Se2020 Firmware, and Siemens Solid Edge Se2021 Firmware are affected by this vulnerability.
How can I fix CVE-2021-22643?
To fix CVE-2021-22643, it is recommended to update to a patched version of the affected software when available.
- collector/nvd-index
- agent/type
- collector/mitre-cve
- source/MITRE
- collector/zdi-advisory
- source/ZDI
- alias/ZDI-21-319
- alias/ZDI-CAN-11938
- alias/CVE-2021-22643
- agent/last-modified-date
- agent/title
- agent/references
- agent/severity
- agent/author
- agent/tags
- agent/description
- agent/first-publish-date
- agent/weakness
- agent/softwarecombine
- agent/event
- alias/ZDI-21-316
- alias/ZDI-CAN-11939
- agent/software-canonical-lookup
- collector/ics-cert-advisory
- source/ICS
- vendor/luxion
- canonical/luxion keyshot
- canonical/luxion keyshot network rendering
- canonical/luxion keyshot viewer
- canonical/luxion keyvr
- vendor/siemens
- canonical/siemens solid edge se2020 firmware
- canonical/siemens solid edge viewer
- canonical/siemens solid edge se2021 firmware
- canonical/siemens solid edge se2021