Open Design Alliance Drawing SDK

Plan Patch7.8ICS-CERT ICSA-23-353-04Dec 19, 2023

Attack VectorLocal

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

Open Design Alliance (ODA) Drawing SDK versions prior to 2024.1 contain use-after-free (CWE-416) and buffer overflow (CWE-122) vulnerabilities that could allow local attackers to disclose sensitive information or execute code. The vulnerabilities require user interaction, such as opening a malicious drawing file. ODA has stated no fix will be provided for versions prior to 2024.1; users must upgrade to 2024.1 or later to remediate.

What this means

What could happen

An attacker with local access to a system running ODA Drawing SDK could exploit a use-after-free or buffer overflow vulnerability to read sensitive data from memory, potentially exposing engineering designs, credentials, or process information stored on the workstation.

Who's at risk

Engineering and design personnel at water utilities, electric utilities, and other critical infrastructure operators who use ODA Drawing SDK for SCADA system design, PLC programming, or industrial control system documentation. Affected organizations include any facility where engineers use CAD or drawing software based on ODA libraries to create or modify control system designs.

How it could be exploited

An attacker must first gain local code execution or use a secondary vulnerability to trigger the use-after-free condition. The vulnerability could then be exploited through a specially crafted drawing file or input that causes the SDK to access freed memory or overflow a buffer, allowing memory disclosure or code execution with the privileges of the application user.

Prerequisites

Local access to the affected system
ODA Drawing SDK version prior to 2024.1 installed and in use
User interaction required (opening a malicious drawing file or document)

Local access required only (not remotely exploitable)User interaction required to triggerMemory corruption vulnerabilities (CWE-416, CWE-122) can lead to information disclosure or code executionNo patch available for older versionsPotential exposure of sensitive design and configuration data

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (1)

ProductAffected VersionsFix Status

Drawing SDK: <2024.1<2024.12024.1

Remediation & Mitigation

0/5

Do now

0/1

WORKAROUNDTrain users not to open drawing files from untrusted sources, especially via email or downloads

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade ODA Drawing SDK to version 2024.1 or later when available and operationally feasible

Long-term hardening

0/3

HARDENINGRestrict local access to systems running ODA Drawing SDK; limit which users and administrative accounts can log on to engineering workstations

HARDENINGImplement application whitelisting on engineering workstations to prevent execution of unexpected programs that could trigger the vulnerability indirectly

HARDENINGIsolate engineering workstations and design systems from business networks using network segmentation or air-gapping where possible

CVEs (3)

CVE-2023-26495 CVE-2023-22669 CVE-2023-22670

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/5abb8d30-a741-4bc9-ac3f-dc387f4e5326