Vulnerability Details : CVE-2021-22645
Luxion KeyShot versions prior to 10.1, Luxion KeyShot Viewer versions prior to 10.1, Luxion KeyShot Network Rendering versions prior to 10.1, and Luxion KeyVR versions prior to 10.1 are vulnerable to an attack because the .bip documents display a “load” command, which can be pointed to a .dll from a remote network share. As a result, the .dll entry point can be executed without sufficient UI warning.
Products affected by CVE-2021-22645
- cpe:2.3:o:siemens:solid_edge_se2020_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:siemens:solid_edge_se2021_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:a:luxion:keyshot:*:*:*:*:*:*:*:*
- cpe:2.3:a:luxion:keyshot_network_rendering:*:*:*:*:*:*:*:*
- cpe:2.3:a:luxion:keyshot_viewer:*:*:*:*:*:*:*:*
- cpe:2.3:a:luxion:keyvr:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2021-22645
0.09%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 37 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2021-22645
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.8
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:P/A:P |
8.6
|
6.4
|
NIST | |
7.8
|
HIGH | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
1.8
|
5.9
|
NIST |
CWE ids for CVE-2021-22645
-
The user interface provides a warning to a user regarding dangerous or sensitive operations, but the warning is not noticeable enough to warrant attention.Assigned by: ics-cert@hq.dhs.gov (Secondary)
References for CVE-2021-22645
-
https://www.zerodayinitiative.com/advisories/ZDI-21-323/
ZDI-21-323 | Zero Day InitiativeThird Party Advisory;VDB Entry
-
https://cert-portal.siemens.com/productcert/pdf/ssa-231216.pdf
Third Party Advisory
-
https://us-cert.cisa.gov/ics/advisories/icsa-21-035-01
Luxion KeyShot | CISAThird Party Advisory;US Government Resource
Jump to