Siemens has mitigated 21 vulnerabilities in two of its virtualization software tools that, if exploited, could enable attackers to gain remote control, exfiltrate data or cause systems to crash. It’s urging customers to shift to updated versions of the software that fix the flaws.
The Flaws
All the vulnerabilities that were disclosed by Siemens have a CVSS rank of 7.8, or highly vulnerable. Among the flaws are:
- CVE-2020-26998: This vulnerability is caused by improper validation of user data while parsing PAR files. It could lead to memory access and data leaks.
- CVE-2020-27000: This vulnerability, which arises from parsing BMP files, could enable attackers to perform remote code execution.
- CVE-2020-27001: This is a stack-based buffer overflow caused by parsing of PAR files that could lead to remote code execution.
- CVE-2020-27003: This flaw is caused by parsing of TIFF files. It, too, could lead to remote code execution.
Many of the vulnerabilities disclosed by Siemens are linked to the use of Open Design Alliance software development kits. The alliance has released details of the issues involved.
