Remote Code Execution Vulnerability in Luxion KeyShot and KeyVR
CVE-2021-22645

7.8HIGH

Key Information:

Vendor
Luxion
Status
Luxion Keyshot
Luxion Keyshot Viewer
Luxion Keyshot Network Rendering
Luxion Keyvr
Vendor
CVE Published:
23 February 2021

Summary

Several versions of Luxion KeyShot, KeyShot Viewer, KeyShot Network Rendering, and KeyVR are susceptible to a remote code execution vulnerability due to insecure handling of .bip documents. The flaw allows malicious .bip files to execute a load command that points to a .dll file located on a remote network share. This presents a risk as the .dll entry point can be executed without adequate user interface warnings, potentially leading to unauthorized access and control over the affected systems.

Affected Version(s)

Luxion KeyShot versions prior to 10.1

Luxion KeyShot Network Rendering versions prior to 10.1

Luxion KeyShot Viewer versions prior to 10.1

References

https://us-cert.cisa.gov/ics/advisories/icsa-21-035-01
x_refsource_MISC
https://cert-portal.siemens.com/productcert/pdf/ssa-23121...
x_refsource_CONFIRM
https://www.zerodayinitiative.com/advisories/ZDI-21-323/
x_refsource_MISC

CVSS V3.1

Score:
7.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2021-22645 : Remote Code Execution Vulnerability in Luxion KeyShot and KeyVR | SecurityVulnerability.io