Multiple Vulnerabilities in Autodesk FBX-SDK library Could Allow for Arbitrary Code Execution

MS-ISAC ADVISORY NUMBER:

2020-053

DATE(S) ISSUED:

04/22/2020

OVERVIEW:

Multiple vulnerabilities have been discovered in the Autodesk FBX-SDK library, the most severe of which could allow for arbitrary code execution. Several Microsoft products utilize this library and are affected by these vulnerabilities. Successful exploitation of the most severe of these vulnerabilities could result in an attacker gaining the same privileges as the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

THREAT INTELLIGENCE:

There are currently no reports of these vulnerabilities being exploited in the wild.

SYSTEMS AFFECTED:

  • FBX-SDK 2019.5 and earlier
  • Maya 2019 and earlier
  • Motion Builder 2019 and earlier
  • Mudbox 2019 and earlier
  • 3ds Max 2020 and earlier
  • Fusion ATF 8 and earlier
  • Revit 2020 and earlier
  • Flame 2019 and earlier
  • Infraworks 2020 and earlier
  • Navisworks 2019 Update 4 and earlier
  • Autodesk AutoCAD 2019 and earlier
  • Microsoft Office 2016 Click-to-Run (C2R) for 32-bit editions
  • Microsoft Office 2016 Click-to-Run (C2R) for 64-bit editions
  • Microsoft Office 2019 for 32-bit editions
  • Office 365 ProPlus for 32-bit Systems
  • Office 365 ProPlus for 64-bit Systems
  • Paint 3D

RISK:

Government:
  • Large and medium government entities: HIGH
  • Small government entities: MEDIUM
Businesses:
  • Large and medium business entities: N/A
  • Small business entities: MEDIUM
Home Users:
LOW

TECHNICAL SUMMARY:

Multiple vulnerabilities have been discovered in the Autodesk FBX-SDK library, the most severe of which could allow for arbitrary code execution.

A full list of all vulnerabilities can be found at the link below:
https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV200004#ID0EA

  • CVE-2020-7080: A buffer overflow vulnerability in the Autodesk FBX-SDK versions 2019.0 and earlier may lead to arbitrary code execution on a system running it.
  • CVE-2020-7081: A type confusion vulnerability in the Autodesk FBX-SDK versions 2019.0 and earlier may lead to arbitrary code read/write on the system running it.
  • CVE-2020-7082: A use-after-free vulnerability in the Autodesk FBX-SDK versions 2019.0 and earlier may lead to code execution on a system running it.
  • CVE-2020-7083: An intager overflow vulnerability in the Autodesk FBX-SDK versions 2019.0 and earlier may lead to denial of service of the application.
  • CVE-2020-7084: A NULL pointer dereference vulnerability in the Autodesk FBX-SDK versions 2019.0 and earlier may lead to denial of service of the application.
  • CVE-2020-7085: A heap overflow vulnerability in the Autodesk FBX-SDK versions 2019.2 and earlier may lead to arbitrary code execution on a system running it.

Successful exploitation of the most severe of these vulnerabilities could result in an attacker gaining the same privileges as the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

RECOMMENDATIONS:

We recommend the following actions be taken:

  • Apply appropriate patches or appropriate mitigations provided by Microsoft to vulnerable systems immediately after appropriate testing.
  • Run all software as a non-privileged user (one without administrative rights) to diminish the effects of a successful attack.
  • Remind all users not to visit untrusted websites or follow links provided by unknown or untrusted sources.
  • Inform and educate users regarding threats posed by hypertext links contained in emails or attachments especially from untrusted sources.
  • Apply the Principle of Least Privilege to all systems and services.

REFERENCES:

Information Hub : Advisories


CONTROL: 1 --- ADVISORY CONTROL: 0
CONTROL: 2 --- ADVISORY CONTROL: 0

Pencil Blog post 03 Dec 2020
CONTROL: 3 --- ADVISORY CONTROL: 0
CONTROL: 4 --- ADVISORY CONTROL: 0