Risk | High |
Patch available | YES |
Number of vulnerabilities | 7 |
CVE-ID | CVE-2021-27027 CVE-2021-27028 CVE-2021-27030 CVE-2021-27029 CVE-2021-27031 CVE-2021-40157 CVE-2021-27044 |
CWE-ID | CWE-787 CWE-119 CWE-22 CWE-476 CWE-416 CWE-822 |
Exploitation vector | Network |
Public exploit | N/A |
Vulnerable software Subscribe |
FBX Review Server applications / Virtualization software |
Vendor | Autodesk |
Security Bulletin
This security bulletin contains information about 7 vulnerabilities.
Updated 01.10.2021
Added vulnerabilities #6-7
EUVDB-ID: #VU52591
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-27027
CWE-ID:
CWE-787 - Out-of-bounds write
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a boundary error within the parsing of FBX files. A remote attacker can create a specially crafted FBX files, trick the victim into opening it using the affected software, trigger out-of-bounds write and execute arbitrary code on the target system.
MitigationInstall update from vendor's website.
Vulnerable software versionsFBX Review: 1.4.0 - 1.5.0
External linkshttp://www.autodesk.com/trust/security-advisories/adsk-sa-2021-0001
http://www.zerodayinitiative.com/advisories/ZDI-21-473/
http://www.zerodayinitiative.com/advisories/ZDI-21-469/
http://www.zerodayinitiative.com/advisories/ZDI-21-471/
http://www.zerodayinitiative.com/advisories/ZDI-21-472/
http://www.zerodayinitiative.com/advisories/ZDI-21-470/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU52595
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-27028
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error within the parsing of FBX files. A remote attacker can create a specially crafted FBX file, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsFBX Review: 1.4.0 - 1.5.0
External linkshttp://www.autodesk.com/trust/security-advisories/adsk-sa-2021-0001
http://www.zerodayinitiative.com/advisories/ZDI-21-465/
http://www.zerodayinitiative.com/advisories/ZDI-21-467/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU52594
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-27030
CWE-ID:
CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform directory traversal attacks.
The vulnerability exists due to input validation error when processing directory traversal sequences. A remote attacker can trick a victim to open a specially crafted ZIP file and read arbitrary files on the system, leading to arbitrary code execution.
MitigationInstall update from vendor's website.
Vulnerable software versionsFBX Review: 1.4.0 - 1.5.0
External linkshttp://www.autodesk.com/trust/security-advisories/adsk-sa-2021-0001
http://www.zerodayinitiative.com/advisories/ZDI-21-466/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU52593
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-27029
CWE-ID:
CWE-476 - NULL Pointer Dereference
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a NULL pointer dereference error within the parsing of FBX files. A remote attacker can trick a victim to visit a malicious page or open a malicious file and execute arbitrary code on the system.
MitigationInstall update from vendor's website.
Vulnerable software versionsFBX Review: 1.4.0 - 1.5.0
External linkshttp://www.autodesk.com/trust/security-advisories/adsk-sa-2021-0001
http://www.zerodayinitiative.com/advisories/ZDI-21-464/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU52592
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-27031
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error within the parsing of FBX files. A remote attacker can trick a victim to visit a malicious page or open a malicious file and execute arbitrary code on the system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsFBX Review: 1.4.0 - 1.5.0
External linkshttp://www.autodesk.com/trust/security-advisories/adsk-sa-2021-0001
http://www.zerodayinitiative.com/advisories/ZDI-21-468/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU56977
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-40157
CWE-ID:
CWE-822 - Untrusted Pointer Dereference
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to untrusted pointer dereference error within the parsing of DAE files. A remote attacker can trick the victim to open a specially crafted file, trigger pointer dereference and execute arbitrary code on the target system.
Successful exploitation of the vulnerability may allow an attacker to compromise the affected system.
MitigationInstall update from vendor's website.
Vulnerable software versionsFBX Review: 1.4.1.0 - 1.5.0
External linkshttp://www.autodesk.com/trust/security-advisories/adsk-sa-2021-0002
http://www.zerodayinitiative.com/advisories/ZDI-21-1068/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU56976
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-27044
CWE-ID:
CWE-787 - Out-of-bounds write
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a boundary error within the parsing of FBX files. A remote attacker can create a specially crafted file, trick the victim into opening it using the affected software, trigger out-of-bounds write and execute arbitrary code on the target system.
MitigationInstall update from vendor's website.
Vulnerable software versionsFBX Review: 1.4.1.0 - 1.5.0
External linkshttp://www.autodesk.com/trust/security-advisories/adsk-sa-2021-0001
http://www.zerodayinitiative.com/advisories/ZDI-21-1067/
http://www.zerodayinitiative.com/advisories/ZDI-23-1569/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.