This week Cisco Talos security researchers revealed six highly-severe vulnerabilities in Gerbv, an open-source file viewer for printed circuit board (PCB) designs. Gerbv is a native Linux program that runs on various UNIX systems and also has a Windows version. It has received over a million downloads from SourceForge.
The program may be used as a standalone application or as a library to read file types that show layers of circuit boards, such as Excellon drill files, RS-274X Gerber files, and pick-n-place files.
“Some PCB manufacturers use software like Gerbv in their web interfaces as a tool to convert Gerber (or other supported) files into images. Users can upload Gerber files to the manufacturer website, which are converted to an image to be displayed in the browser, so that users can verify that what has been uploaded matches their expectations,” Talos clarified.
An attacker can now access the software via the network without requiring user involvement or elevated rights. According to the researchers, the detected vulnerabilities influence Gerbv’s ability to open Gerber files. Four recently reported vulnerabilities have a CVSS score of 10: CVE-2021-40391, CVE-2021-40393, CVE-2021-40394, and CVE-2021-40401. All four flaws might be exploited by submitting a specially crafted file to Gerbv.
Two out-of-bounds writes, one integer overflow, and a use-after-free vulnerability may all be exploited to execute code. Two additional critical-severity vulnerabilities, CVE-2021-40400 and CVE-2021-40402, can be used to expose information. Both these flaws may be abused by delivering a specifically constructed Gerber file.
Researchers at Cisco Talos also discovered a medium-severity information disclosure vulnerability in Gerbv’s pick-and-place rotation parsing capabilities (CVE-2021-40403). They also revealed that an attacker might disclose memory contents with the help of specially constructed files. According to Talos, fixes for four of these flaws (three critical- and one medium-severity) have been issued. Even though the vendor was alerted more than 90 days ago, two of the issues (CVE-2021-40400 and CVE-2021-40402) remain unpatched.