CVE-2021-22645
Siemens Solid Edge Viewer Insufficient UI Warning Remote Code Execution Vulnerability
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Luxion KeyShot versions prior to 10.1, Luxion KeyShot Viewer versions prior to 10.1, Luxion KeyShot Network Rendering versions prior to 10.1, and Luxion KeyVR versions prior to 10.1 are vulnerable to an attack because the .bip documents display a “load” command, which can be pointed to a .dll from a remote network share. As a result, the .dll entry point can be executed without sufficient UI warning.
Luxion KeyShot versiones anteriores a 10.1, Luxion KeyShot Viewer versiones anteriores a 10.1, Luxion KeyShot Network Rendering versiones anteriores a 10.1 y Luxion KeyVR versiones anteriores a 10.1, son vulnerables a un ataque porque los documentos .bip muestran un comando "load", que puede ser apuntado a una .dll desde un recurso compartido de red remoto. Como resultado, el punto de entrada .dll puede ser ejecutado sin suficiente advertencia de la Interfaz de Usuario
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Siemens Solid Edge Viewer. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
The specific flaw exists within the processing of BIP files. The user interface does not provide sufficient indication of a hazard. An attacker can leverage this vulnerability to execute code in the context of the current process.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2021-01-05 CVE Reserved
- 2021-02-23 CVE Published
- 2024-08-03 CVE Updated
- 2024-11-10 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-357: Insufficient UI Warning of Dangerous Operations
CAPEC
References (3)
| URL | Tag | Source |
|---|---|---|
| https://cert-portal.siemens.com/productcert/pdf/ssa-231216.pdf | Third Party Advisory |
|
| https://us-cert.cisa.gov/ics/advisories/icsa-21-035-01 | Third Party Advisory | |
| https://www.zerodayinitiative.com/advisories/ZDI-21-323 | Third Party Advisory |
|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Siemens Search vendor "Siemens" | Solid Edge Se2020 Firmware Search vendor "Siemens" for product "Solid Edge Se2020 Firmware" | * | - |
Affected
| in | Siemens Search vendor "Siemens" | Solid Edge Se2020 Search vendor "Siemens" for product "Solid Edge Se2020" | - | - |
Safe
|
| Siemens Search vendor "Siemens" | Solid Edge Se2021 Firmware Search vendor "Siemens" for product "Solid Edge Se2021 Firmware" | * | - |
Affected
| in | Siemens Search vendor "Siemens" | Solid Edge Se2021 Search vendor "Siemens" for product "Solid Edge Se2021" | - | - |
Safe
|
| Luxion Search vendor "Luxion" | Keyshot Search vendor "Luxion" for product "Keyshot" | < 10.1 Search vendor "Luxion" for product "Keyshot" and version " < 10.1" | - |
Affected
| ||||||
| Luxion Search vendor "Luxion" | Keyshot Network Rendering Search vendor "Luxion" for product "Keyshot Network Rendering" | < 10.1 Search vendor "Luxion" for product "Keyshot Network Rendering" and version " < 10.1" | - |
Affected
| ||||||
| Luxion Search vendor "Luxion" | Keyshot Viewer Search vendor "Luxion" for product "Keyshot Viewer" | < 10.1 Search vendor "Luxion" for product "Keyshot Viewer" and version " < 10.1" | - |
Affected
| ||||||
| Luxion Search vendor "Luxion" | Keyvr Search vendor "Luxion" for product "Keyvr" | < 10.1 Search vendor "Luxion" for product "Keyvr" and version " < 10.1" | - |
Affected
| ||||||