CVE-2021-45844
📋 TL;DR
CVE-2021-45844 is an OS command injection vulnerability in FreeCAD's ODA File Converter that allows attackers to execute arbitrary commands on the system by using a specially crafted filename. This affects FreeCAD users who process untrusted CAD files. The vulnerability stems from improper input sanitization when invoking external converters.
💻 Affected Systems
- FreeCAD
📦 What is this software?
Freecad by Freecadweb
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with arbitrary command execution as the user running FreeCAD, potentially leading to data theft, ransomware deployment, or persistent backdoor installation.
Likely Case
Local privilege escalation or execution of malicious commands when processing untrusted CAD files, potentially compromising the user's workstation.
If Mitigated
Limited impact if running with minimal privileges, in sandboxed environments, or with strict file validation controls.
🎯 Exploit Status
Exploitation requires user interaction to open a malicious CAD file. No publicly available exploit code has been identified.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: FreeCAD 0.20 and later
Vendor Advisory: https://tracker.freecad.org/view.php?id=4809
Restart Required: Yes
Instructions:
1. Download FreeCAD 0.20 or later from freecad.org. 2. Uninstall previous version. 3. Install new version. 4. Restart system.
🔧 Temporary Workarounds
Disable ODA File Converter
allRemove or disable the ODA File Converter plugin to prevent exploitation
Remove ODA File Converter from FreeCAD's plugin directory or disable via preferences
Restrict File Processing
allOnly process CAD files from trusted sources
🧯 If You Can't Patch
- Run FreeCAD with minimal user privileges (non-admin/non-root account)
- Use application sandboxing or virtualization to isolate FreeCAD from critical systems
🔍 How to Verify
Check if Vulnerable:
Check FreeCAD version: if version is 0.19 or earlier, system is vulnerableCheck Version:
On Linux: freecad --version | grep -i version; On Windows: Check Help > About in FreeCAD GUIVerify Fix Applied:
Verify FreeCAD version is 0.20 or later📡 Detection & Monitoring
Log Indicators:
- Unusual process spawns from FreeCAD
- Suspicious command execution patterns
- ODA File Converter errors with unusual filenames
Network Indicators:
- Unexpected outbound connections from FreeCAD process
SIEM Query:
Process creation where parent_process contains 'freecad' and command_line contains suspicious characters (;, &, |, $, etc.)🔗 References
- https://forum.freecadweb.org/viewtopic.php?t=64733
- https://lists.debian.org/debian-lts-announce/2022/03/msg00004.html
- https://lists.debian.org/debian-lts-announce/2022/08/msg00008.html
- https://tracker.freecad.org/view.php?id=4809
- https://www.debian.org/security/2022/dsa-5229
- https://forum.freecadweb.org/viewtopic.php?t=64733
- https://lists.debian.org/debian-lts-announce/2022/03/msg00004.html
- https://lists.debian.org/debian-lts-announce/2022/08/msg00008.html
- https://tracker.freecad.org/view.php?id=4809
- https://www.debian.org/security/2022/dsa-5229
