Open Design Alliance Drawings SDK

Plan PatchCVSS 7.8ICS-CERT ICSA-21-159-02Jun 8, 2021

Attack path

Attack VectorLocal

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

The Open Design Alliance Drawings SDK contains buffer overflow and memory safety vulnerabilities (CWE-125, CWE-787, CWE-754, CWE-416) in its file parsing logic. When a user opens a specially crafted project or drawing file, these flaws can result in arbitrary code execution within the SDK process or a denial-of-service condition. The vulnerabilities are triggered during the parsing of the drawing file and do not require authentication or network access—only that the file is opened on a system running the affected SDK.

What this means

What could happen

An attacker with local access could run arbitrary code in the context of the Drawings SDK process or crash it, potentially affecting any OT application that relies on the SDK to parse design files.

Who's at risk

Engineering teams and plant staff who use CAD or design software that relies on the Open Design Alliance Drawings SDK to parse plant drawings, P&IDs, or design documentation. This includes power utilities, water systems, and other industries where design files are used for control system engineering or documentation.

How it could be exploited

An attacker must first get a malicious project file (CAD/drawing file) onto a system running the Drawings SDK. When an authorized user opens this file, the SDK fails to validate the file contents properly, allowing code execution or memory corruption in the SDK process.

Prerequisites

Local access to a system running Drawings SDK
User interaction required: the victim must open a malicious project file
Access to or ability to place a malicious drawing/CAD file on the system

Local exploitation only (not remotely exploitable)User interaction required to open malicious fileNo patch currently available (requires vendor login)Affects engineering and design workflowsCould enable code execution on engineering workstations

Exploitability

Unlikely to be exploited — EPSS score 0.4%

Affected products (2)

2 with fix

ProductAffected VersionsFix Status

Drawings SDK: <2022.4<2022.42022.5+

Drawings SDK: 2022.42022.42022.5+

Remediation & Mitigation

0/5

Do now

0/2

HARDENINGOnly open project files and drawings from trusted, verified sources

HARDENINGDo not enable autoplaying or auto-opening of attachments or downloaded files in systems running Drawings SDK

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Open Design Alliance Drawings SDK to version 2022.5 or later

HARDENINGApply least-privilege user principle: run design software and processes with minimal required permissions

Long-term hardening

0/1

HARDENINGIsolate systems running Drawings SDK from the Internet and restrict access from untrusted networks

CVEs (8)

CVE-2021-32938 CVE-2021-32936 CVE-2021-32940 CVE-2021-32946 CVE-2021-32948 CVE-2021-32950 CVE-2021-32952 CVE-2021-32944

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/c7a42101-b189-4bb1-a510-12b5e0277f06

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.