CVE-2021-27494 – This vulnerability allows remote code execution... (How to Fix)

Q: What is the severity of CVE-2021-27494?

CVE-2021-27494 has a CVSS score of 7.8 (HIGH). This vulnerability allows remote code execution through specially crafted STP files in KeyShot's 3D file parsing modules. Attackers can exploit stack-based buffer overflows to execute arbitrary code with the privileges of the current process. Users of KeyShot versions v10.1 and earlier are affected.

📋 TL;DR

This vulnerability allows remote code execution through specially crafted STP files in KeyShot's 3D file parsing modules. Attackers can exploit stack-based buffer overflows to execute arbitrary code with the privileges of the current process. Users of KeyShot versions v10.1 and earlier are affected.

💻 Affected Systems

Products:

KeyShot

Versions: v10.1 and prior

Operating Systems: Windows, macOS, Linux

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in CatiaV5_3dRead, CatiaV6_3dRead, Step3dRead, Ug3dReadPsr, and Jt3dReadPsr modules when parsing STP files.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with attacker gaining full control of the affected system, potentially leading to data theft, ransomware deployment, or lateral movement within the network.

🟠

Likely Case

Local privilege escalation or remote code execution when users open malicious STP files, potentially leading to malware installation or data exfiltration.

🟢

If Mitigated

Limited impact with proper network segmentation, application sandboxing, and user awareness preventing malicious file execution.

🌐 Internet-Facing: MEDIUM - Risk exists if KeyShot is exposed to untrusted networks or users can upload STP files to web interfaces.

🏢 Internal Only: HIGH - Internal users opening malicious STP files (received via email or shared drives) can trigger exploitation.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires user interaction to open malicious STP file. ZDI advisory suggests exploit development is feasible.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: KeyShot v10.2 or later

Vendor Advisory: https://www.keyshot.com/support/

Restart Required: Yes

Instructions:

1. Download KeyShot v10.2 or later from official website. 2. Install the update following vendor instructions. 3. Restart the application and system if prompted.

🔧 Temporary Workarounds

Restrict STP file handling

all

Block or restrict processing of STP files through application controls or file type restrictions.

Application sandboxing

all

Run KeyShot in restricted environments or sandboxes to limit potential damage from exploitation.

🧯 If You Can't Patch

Implement strict file validation for STP files before opening in KeyShot
Use network segmentation to isolate KeyShot systems from critical assets

🔍 How to Verify

Check if Vulnerable:

Check KeyShot version in Help > About menu. If version is 10.1 or earlier, system is vulnerable.

Check Version:

On Windows: Check registry at HKEY_LOCAL_MACHINE\SOFTWARE\Luxion\KeyShot\Version. On macOS/Linux: Check application info or package manager.

Verify Fix Applied:

Verify version is 10.2 or later in Help > About menu after update installation.

📡 Detection & Monitoring

Log Indicators:

Application crashes when opening STP files
Unusual process spawning from KeyShot
Memory access violation errors

Network Indicators:

Unexpected outbound connections from KeyShot process
File downloads to KeyShot directory

SIEM Query:

Process creation where parent_process contains 'KeyShot' AND (process contains 'cmd.exe' OR process contains 'powershell.exe' OR process contains 'bash')

📊 Metadata

CVE ID: CVE-2021-27494

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-121

Published: May 27, 2021

Last Updated: November 21, 2024

🔗 References

https://cert-portal.siemens.com/productcert/pdf/ssa-119468.pdf Third Party Advisory
https://us-cert.cisa.gov/ics/advisories/icsa-21-145-01 Third Party Advisory,US Government Resource
https://www.zerodayinitiative.com/advisories/ZDI-21-564/ Third Party Advisory,VDB Entry
https://cert-portal.siemens.com/productcert/pdf/ssa-119468.pdf Third Party Advisory
https://us-cert.cisa.gov/ics/advisories/icsa-21-145-01 Third Party Advisory,US Government Resource
https://www.zerodayinitiative.com/advisories/ZDI-21-564/ Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-27494, you might also want to check these: