Bug: Potential Security Vulnerability w/ReWire Menu

Issue observed since Cubase 9.5.20 up to current.

The menu under “Studio” which opens control panels of ReWire plugins uses the (unprefixed) names of the plugins internally to map menu items to actions. For example, a plugin with the name “Transport” will open the Cubase transport panel instead of the plugin’s own panel. You may shrug this off as a funny coincidence, while it could in fact be a serious problem.

We haven’t tested what happens for plugins with other abritrary names, but it might be possible for someone to hack their way into the underpinnings of Cubase for reverse engineering puposes by exploiting this bug. What else could be opened or triggered, simply by renaming a ReWire plugin?

This is certainly not what Steinberg developers intended.

The fix is easy: Prefix menu keys internally, so they can’t randomly clash with vital Cubase functions.

I posted this weeks ago already, but it got no attention. I’m a developer myself with decades of experience. You should really escalate this to development asap.

I confirm this issue. For the reference, my original report (written from a user point of view) is here: Synfire Cannot Be ReWired to Cubase 9.5.21 - Cubase - Steinberg Forums

Best regards

Miloslav

Has this been considered yet?

It might not immediately affect that many ReWire plugins out there (depending on how unwitting developers will label them), but there is much potential for unwanted side effects. The fix is easy. Please.