CVE-2021-44859 – An out-of-bounds read vulnerability in Open Des... (How to Fix)

Q: What is the severity of CVE-2021-44859?

CVE-2021-44859 has a CVSS score of 7.8 (HIGH). An out-of-bounds read vulnerability in Open Design Alliance Drawings SDK allows attackers to execute arbitrary code by providing a malicious TGA file. This affects applications using the SDK to process TGA files before version 2022.12. The vulnerability enables remote code execution in the context of the application processing the file.

📋 TL;DR

An out-of-bounds read vulnerability in Open Design Alliance Drawings SDK allows attackers to execute arbitrary code by providing a malicious TGA file. This affects applications using the SDK to process TGA files before version 2022.12. The vulnerability enables remote code execution in the context of the application processing the file.

💻 Affected Systems

Products:

Open Design Alliance Drawings SDK

Versions: All versions before 2022.12

Operating Systems: Windows, Linux, macOS

Default Config Vulnerable: ⚠️ Yes

Notes: Any application using the ODA Drawings SDK to process TGA files is vulnerable.

📦 What is this software?

Drawings Sdk by Opendesign

View all CVEs affecting Drawings Sdk →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full remote code execution leading to complete system compromise, data theft, or ransomware deployment.

🟠

Likely Case

Application crash leading to denial of service, with potential for code execution if exploit is refined.

🟢

If Mitigated

Application crash without code execution if memory protections are enabled.

🌐 Internet-Facing: MEDIUM - Requires user interaction to open malicious TGA file, but common in design/CAD applications.

🏢 Internal Only: MEDIUM - Internal users could be tricked into opening malicious files via email or shared drives.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires user interaction to open a malicious TGA file. No public exploit code is known.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2022.12 or later

Vendor Advisory: https://www.opendesign.com/security-advisories

Restart Required: Yes

Instructions:

1. Download ODA Drawings SDK version 2022.12 or later from vendor portal. 2. Replace existing SDK installation. 3. Rebuild and redeploy applications using the SDK. 4. Restart affected services.

🔧 Temporary Workarounds

Block TGA file processing

all

Disable TGA file support in applications using the SDK

File type restrictions

all

Implement file type filtering to block TGA files at network perimeter or application level

🧯 If You Can't Patch

Implement application sandboxing to limit impact of potential code execution
Use endpoint protection with memory corruption detection capabilities

🔍 How to Verify

Check if Vulnerable:

Check SDK version in application dependencies or vendor documentation

Check Version:

Check application documentation or contact vendor for version verification method

Verify Fix Applied:

Verify SDK version is 2022.12 or later and test TGA file processing functionality

📡 Detection & Monitoring

Log Indicators:

Application crashes when processing TGA files
Memory access violation errors in application logs

Network Indicators:

Unusual TGA file transfers to design/CAD systems

SIEM Query:

source="application_logs" AND ("access violation" OR "segmentation fault") AND file_extension="tga"

📊 Metadata

CVE ID: CVE-2021-44859

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-125

Published: December 21, 2021

Last Updated: November 21, 2024

🔗 References

https://www.opendesign.com/security-advisories Vendor Advisory
https://www.opendesign.com/security-advisories Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-44859, you might also want to check these: