Datakit Libraries bundled in Luxion KeyShot

Plan Patch7.8ICS-CERT ICSA-21-145-01May 25, 2021

Attack VectorLocal

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

Multiple memory corruption and XML external entity injection vulnerabilities exist in Datakit libraries bundled in Luxion KeyShot and CAD file readers (UG3dReadPsr, Jt3dReadPsr, CatiaV5_3dRead, CatiaV6_3dRead, Step3dRead). Successful exploitation allows arbitrary code execution or unauthorized disclosure of files when a user opens a malicious CAD file. The vulnerabilities are not remotely exploitable and no public exploits are known.

What this means

What could happen

An attacker could execute arbitrary code or disclose sensitive files on a workstation running KeyShot or applications using the affected Datakit libraries if a user opens a malicious CAD file. This could compromise engineering designs, intellectual property, or allow lateral movement into the plant network.

Who's at risk

Engineering and design teams using Luxion KeyShot or any applications bundled with Datakit libraries (including CATIA readers, STEP readers, and JT readers). This affects workstations in manufacturing, design, and product development departments that process CAD files from external or untrusted sources.

How it could be exploited

An attacker creates a malicious CAD file (UG3D, JT, STEP, CATIA V5, or CATIA V6 format) and tricks a user into opening it via email or file sharing. When the application parses the file, memory corruption or XML external entity injection flaws allow the attacker to run commands on the workstation or steal sensitive project data.

Prerequisites

User must open a malicious CAD file on a machine running vulnerable KeyShot or Datakit-based reader
No authentication or special privileges required
Attack requires social engineering or file sharing compromise

Local exploitation only (not remotely exploitable)Low complexity attack (malicious file via email)Requires user interaction (opening a file)No patch available for several productsDefault behavior allows automatic file parsing

Exploitability

Low exploit probability (EPSS 0.9%)

Affected products (6)

1 with fix5 EOL

ProductAffected VersionsFix Status

KeyShot:≤ 10.110.2 or later

Ug3dReadPsr:≤ 2021.1No fix (EOL)

Jt3dReadPsr:≤ 2021.1No fix (EOL)

CatiaV6_3dRead:≤ 2021.1No fix (EOL)

Step3dRead:≤ 2021.1No fix (EOL)

CatiaV5_3dRead:≤ 2021.1No fix (EOL)

Remediation & Mitigation

0/5

Do now

0/2

WORKAROUNDTrain users not to open untrusted CAD files from unknown sources; disable file preview and auto-open features in file browsers

HARDENINGImplement email filtering to block CAD file attachments from external sources or require manager approval

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate KeyShot to version 10.2 or later

HOTFIXUpdate Datakit CrossCAD/Ware library to version 2021.2 or later for any bundled applications

Mitigations - no patch available

0/1

The following products have reached End of Life with no planned fix: Ug3dReadPsr:, Jt3dReadPsr:, CatiaV6_3dRead:, Step3dRead:, CatiaV5_3dRead:. Apply the following compensating controls:

HARDENINGIsolate engineering workstations from the main plant network using network segmentation

CVEs (5)

CVE-2021-27488 CVE-2021-27492 CVE-2021-27494 CVE-2021-27496 CVE-2021-27490

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/13f67d32-afb1-4f8d-83e1-76598b34f0d6