Multiple vulnerabilities in Autodesk FBX Review



Published: 2021-04-26 | Updated: 2023-10-25
Risk High
Patch available YES
Number of vulnerabilities 7
CVE-ID CVE-2021-27027
CVE-2021-27028
CVE-2021-27030
CVE-2021-27029
CVE-2021-27031
CVE-2021-40157
CVE-2021-27044
CWE-ID CWE-787
CWE-119
CWE-22
CWE-476
CWE-416
CWE-822
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe
FBX Review
Server applications / Virtualization software

Vendor Autodesk

Security Bulletin

This security bulletin contains information about 7 vulnerabilities.

Updated 01.10.2021

Added vulnerabilities #6-7

1) Out-of-bounds write

EUVDB-ID: #VU52591

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-27027

CWE-ID: CWE-787 - Out-of-bounds write

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a boundary error within the parsing of FBX files. A remote attacker can create a specially crafted FBX files, trick the victim into opening it using the affected software, trigger out-of-bounds write and execute arbitrary code on the target system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

FBX Review: 1.4.0 - 1.5.0

External links

http://www.autodesk.com/trust/security-advisories/adsk-sa-2021-0001
http://www.zerodayinitiative.com/advisories/ZDI-21-473/
http://www.zerodayinitiative.com/advisories/ZDI-21-469/
http://www.zerodayinitiative.com/advisories/ZDI-21-471/
http://www.zerodayinitiative.com/advisories/ZDI-21-472/
http://www.zerodayinitiative.com/advisories/ZDI-21-470/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Buffer overflow

EUVDB-ID: #VU52595

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-27028

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error within the parsing of FBX files. A remote attacker can create a specially crafted FBX file, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

FBX Review: 1.4.0 - 1.5.0

External links

http://www.autodesk.com/trust/security-advisories/adsk-sa-2021-0001
http://www.zerodayinitiative.com/advisories/ZDI-21-465/
http://www.zerodayinitiative.com/advisories/ZDI-21-467/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Path traversal

EUVDB-ID: #VU52594

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-27030

CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform directory traversal attacks.

The vulnerability exists due to input validation error when processing directory traversal sequences. A remote attacker can trick a victim to open a specially crafted ZIP file and read arbitrary files on the system, leading to arbitrary code execution.

Mitigation

Install update from vendor's website.

Vulnerable software versions

FBX Review: 1.4.0 - 1.5.0

External links

http://www.autodesk.com/trust/security-advisories/adsk-sa-2021-0001
http://www.zerodayinitiative.com/advisories/ZDI-21-466/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) NULL pointer dereference

EUVDB-ID: #VU52593

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-27029

CWE-ID: CWE-476 - NULL Pointer Dereference

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a NULL pointer dereference error within the parsing of FBX files. A remote attacker can trick a victim to visit a malicious page or open a malicious file and execute arbitrary code on the system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

FBX Review: 1.4.0 - 1.5.0

External links

http://www.autodesk.com/trust/security-advisories/adsk-sa-2021-0001
http://www.zerodayinitiative.com/advisories/ZDI-21-464/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

5) Use-after-free

EUVDB-ID: #VU52592

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-27031

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error within the parsing of FBX files. A remote attacker can trick a victim to visit a malicious page or open a malicious file and execute arbitrary code on the system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

FBX Review: 1.4.0 - 1.5.0

External links

http://www.autodesk.com/trust/security-advisories/adsk-sa-2021-0001
http://www.zerodayinitiative.com/advisories/ZDI-21-468/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

6) Untrusted Pointer Dereference

EUVDB-ID: #VU56977

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-40157

CWE-ID: CWE-822 - Untrusted Pointer Dereference

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to untrusted pointer dereference error within the parsing of DAE files. A remote attacker can trick the victim to open a specially crafted file, trigger pointer dereference and execute arbitrary code on the target system.

Successful exploitation of the vulnerability may allow an attacker to compromise the affected system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

FBX Review: 1.4.1.0 - 1.5.0

External links

http://www.autodesk.com/trust/security-advisories/adsk-sa-2021-0002
http://www.zerodayinitiative.com/advisories/ZDI-21-1068/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

7) Out-of-bounds write

EUVDB-ID: #VU56976

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-27044

CWE-ID: CWE-787 - Out-of-bounds write

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a boundary error within the parsing of FBX files. A remote attacker can create a specially crafted file, trick the victim into opening it using the affected software, trigger out-of-bounds write and execute arbitrary code on the target system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

FBX Review: 1.4.1.0 - 1.5.0

External links

http://www.autodesk.com/trust/security-advisories/adsk-sa-2021-0001
http://www.zerodayinitiative.com/advisories/ZDI-21-1067/
http://www.zerodayinitiative.com/advisories/ZDI-23-1569/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###