CVE-2021-22645 – This vulnerability allows attackers to execute ... (How to Fix)

Q: What is the severity of CVE-2021-22645?

CVE-2021-22645 has a CVSS score of 7.8 (HIGH). This vulnerability allows attackers to execute arbitrary code by tricking users into opening malicious .bip documents that load DLLs from remote network shares. It affects Luxion KeyShot software users who open untrusted documents, particularly in industrial design and engineering environments.

📋 TL;DR

This vulnerability allows attackers to execute arbitrary code by tricking users into opening malicious .bip documents that load DLLs from remote network shares. It affects Luxion KeyShot software users who open untrusted documents, particularly in industrial design and engineering environments.

💻 Affected Systems

Products:

Luxion KeyShot
Luxion KeyShot Viewer
Luxion KeyShot Network Rendering
Luxion KeyVR

Versions: All versions prior to 10.1

Operating Systems: Windows, macOS

Default Config Vulnerable: ⚠️ Yes

Notes: All default installations are vulnerable when opening .bip documents.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with remote code execution leading to data theft, ransomware deployment, or lateral movement within networks.

🟠

Likely Case

Malware installation or credential theft when users open malicious documents from untrusted sources.

🟢

If Mitigated

Limited impact with proper network segmentation and user awareness training preventing document execution from untrusted locations.

🌐 Internet-Facing: MEDIUM - Requires user interaction with malicious documents, but these could be distributed via email or compromised websites.

🏢 Internal Only: HIGH - Internal users frequently share .bip documents, and network shares are common in enterprise environments.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires user interaction to open a malicious document but is technically simple once the document is crafted.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 10.1 and later

Vendor Advisory: https://www.keyshot.com/support/

Restart Required: Yes

Instructions:

1. Download KeyShot 10.1 or later from official website. 2. Run installer. 3. Restart system after installation completes.

🔧 Temporary Workarounds

Block remote DLL loading via Group Policy

windows

Prevent loading of DLLs from remote network shares using Windows Group Policy.

gpedit.msc -> Computer Configuration -> Windows Settings -> Security Settings -> Software Restriction Policies -> Additional Rules -> New Path Rule -> Path: \\*\* -> Security Level: Disallowed

Restrict .bip file handling

all

Configure systems to open .bip files only in sandboxed environments or with reduced privileges.

🧯 If You Can't Patch

Implement application whitelisting to block unauthorized DLL execution.
Educate users to never open .bip documents from untrusted sources or network shares.

🔍 How to Verify

Check if Vulnerable:

Check KeyShot version in Help -> About. If version is below 10.1, system is vulnerable.

Check Version:

On Windows: reg query "HKLM\SOFTWARE\Luxion\KeyShot" /v Version

Verify Fix Applied:

Confirm version is 10.1 or higher in Help -> About and test opening .bip documents from network shares (in safe environment).

📡 Detection & Monitoring

Log Indicators:

Process creation events for KeyShot loading DLLs from network paths (\\*\*.dll)
Windows Event ID 4688 with KeyShot process loading remote DLLs

Network Indicators:

SMB connections from KeyShot processes to untrusted IP addresses
Unusual outbound connections following .bip file opening

SIEM Query:

source="windows" EventCode=4688 ProcessName="*KeyShot*" CommandLine="*\\*\*.dll*"

📊 Metadata

CVE ID: CVE-2021-22645

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-357

Published: February 23, 2021

Last Updated: November 21, 2024

🔗 References

https://cert-portal.siemens.com/productcert/pdf/ssa-231216.pdf Third Party Advisory
https://us-cert.cisa.gov/ics/advisories/icsa-21-035-01 Third Party Advisory,US Government Resource
https://www.zerodayinitiative.com/advisories/ZDI-21-323/ Third Party Advisory,VDB Entry
https://cert-portal.siemens.com/productcert/pdf/ssa-231216.pdf Third Party Advisory
https://us-cert.cisa.gov/ics/advisories/icsa-21-035-01 Third Party Advisory,US Government Resource
https://www.zerodayinitiative.com/advisories/ZDI-21-323/ Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-22645, you might also want to check these: