CVE-2021-22651 – This directory traversal vulnerability in Luxio... (How to Fix)

Q: What is the severity of CVE-2021-22651?

CVE-2021-22651 has a CVSS score of 7.8 (HIGH). This directory traversal vulnerability in Luxion KeyShot products allows attackers to place malicious scripts in system startup folders by tricking users into opening specially crafted files. When exploited, this enables arbitrary code execution at system startup with the privileges of the logged-in user. All users of affected KeyShot versions are vulnerable.

📋 TL;DR

This directory traversal vulnerability in Luxion KeyShot products allows attackers to place malicious scripts in system startup folders by tricking users into opening specially crafted files. When exploited, this enables arbitrary code execution at system startup with the privileges of the logged-in user. All users of affected KeyShot versions are vulnerable.

💻 Affected Systems

Products:

Luxion KeyShot
Luxion KeyShot Viewer
Luxion KeyShot Network Rendering
Luxion KeyVR

Versions: All versions prior to 10.1

Operating Systems: Windows, macOS, Linux

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in file processing logic; no special configuration required for exploitation.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise via persistent malware installation that executes automatically on every system boot, potentially leading to data theft, ransomware deployment, or lateral movement within networks.

🟠

Likely Case

Local privilege escalation leading to malware persistence, data exfiltration, or system disruption when users open malicious KeyShot files.

🟢

If Mitigated

Limited impact if users have restricted privileges, application whitelisting, or file execution restrictions in startup folders.

🌐 Internet-Facing: MEDIUM - Requires user interaction (opening malicious file) but can be delivered via email, downloads, or compromised websites.

🏢 Internal Only: HIGH - Internal users frequently share KeyShot files; exploitation requires minimal technical skill once malicious file is obtained.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires user to open malicious file; ZDI advisory confirms exploit details. Weaponization likely due to low complexity and high impact.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 10.1 and later

Vendor Advisory: https://cert-portal.siemens.com/productcert/pdf/ssa-231216.pdf

Restart Required: Yes

Instructions:

1. Download KeyShot 10.1 or later from official vendor site. 2. Install update following vendor instructions. 3. Restart system to ensure patch is fully applied.

🔧 Temporary Workarounds

Restrict startup folder permissions

windows

Set restrictive permissions on system startup folders to prevent unauthorized script placement.

icacls "%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup" /deny Everyone:(OI)(CI)F
icacls "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp" /deny Everyone:(OI)(CI)F

Use application whitelisting

all

Implement application control policies to prevent unauthorized executables from running from startup locations.

🧯 If You Can't Patch

Restrict user privileges to prevent writing to startup folders
Implement email/web filtering to block suspicious KeyShot files
Educate users not to open KeyShot files from untrusted sources
Monitor startup folder modifications using file integrity monitoring

🔍 How to Verify

Check if Vulnerable:

Check KeyShot version via Help > About; if version is below 10.1, system is vulnerable.

Check Version:

On Windows: Check registry at HKEY_LOCAL_MACHINE\SOFTWARE\Luxion\KeyShot\Version or run 'keyshot --version' from command line if available.

Verify Fix Applied:

Confirm version is 10.1 or higher in Help > About menu; test with known safe KeyShot files to ensure normal operation.

📡 Detection & Monitoring

Log Indicators:

Unexpected file writes to startup folders (C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp or %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup)
KeyShot process spawning unusual child processes
Failed attempts to write to protected startup locations

Network Indicators:

KeyShot processes making unexpected network connections after startup
Downloads of KeyShot files from untrusted sources followed by startup folder modifications

SIEM Query:

EventID=4663 OR EventID=4656 AND ObjectName LIKE '%Startup%' AND ProcessName LIKE '%KeyShot%'

📊 Metadata

CVE ID: CVE-2021-22651

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-22

Published: February 23, 2021

Last Updated: November 21, 2024

🔗 References

https://cert-portal.siemens.com/productcert/pdf/ssa-231216.pdf Third Party Advisory
https://us-cert.cisa.gov/ics/advisories/icsa-21-035-01 Patch,Third Party Advisory,US Government Resource
https://www.zerodayinitiative.com/advisories/ZDI-21-324/ Third Party Advisory,VDB Entry
https://cert-portal.siemens.com/productcert/pdf/ssa-231216.pdf Third Party Advisory
https://us-cert.cisa.gov/ics/advisories/icsa-21-035-01 Patch,Third Party Advisory,US Government Resource
https://www.zerodayinitiative.com/advisories/ZDI-21-324/ Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-22651, you might also want to check these: