Multiple vulnerabilities in Autodesk AutoCAD desktop software



| Updated: 2023-09-20
Risk High
Patch available YES
Number of vulnerabilities 6
CVE-ID CVE-2023-29073
CVE-2023-29074
CVE-2023-29075
CVE-2023-29076
CVE-2023-41139
CVE-2023-41140
CWE-ID CWE-122
CWE-787
CWE-119
CWE-822
Exploitation vector Network
Public exploit N/A
Vulnerable software
Advance Steel
Client/Desktop applications / Multimedia software

AutoCAD Architecture
Client/Desktop applications / Multimedia software

AutoCAD Electrical
Client/Desktop applications / Multimedia software

AutoCAD Map 3D
Client/Desktop applications / Multimedia software

AutoCAD Mechanical
Client/Desktop applications / Multimedia software

AutoCAD MEP
Client/Desktop applications / Multimedia software

AutoCAD Plant 3D
Client/Desktop applications / Multimedia software

AutoCAD LT
Client/Desktop applications / Multimedia software

AutoCAD Mac
Client/Desktop applications / Multimedia software

AutoCAD Mac LT
Client/Desktop applications / Multimedia software

Autodesk Civil 3D
Client/Desktop applications / Multimedia software

Autodesk AutoCAD
Other software / Other software solutions

Vendor Autodesk

Security Bulletin

This security bulletin contains information about 6 vulnerabilities.

1) Heap-based buffer overflow

EUVDB-ID: #VU80205

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-29073

CWE-ID: CWE-122 - Heap-based Buffer Overflow

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when processing models. A remote attacker can trick the victim to load a specially crafted MODEL file, trigger a heap-based buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Advance Steel: 2023 - 2023.1.3

Autodesk AutoCAD: before 2023.1.4

AutoCAD Architecture: before 2023.1.4

AutoCAD Electrical: before 2023.1.4

AutoCAD Map 3D: before 2023.1.4

AutoCAD Mechanical: before 2023.1.4

AutoCAD MEP: before 2023.1.4

AutoCAD Plant 3D: before 2023.1.4

AutoCAD LT: before 2023.1.4

AutoCAD Mac: before 2024.1

AutoCAD Mac LT: before 2024.1

Autodesk Civil 3D: before 2023.1.4

CPE2.3 External links

http://www.autodesk.com/trust/security-advisories/adsk-sa-2023-0018
http://www.zerodayinitiative.com/advisories/ZDI-23-1439/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Out-of-bounds write

EUVDB-ID: #VU80206

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-29074

CWE-ID: CWE-787 - Out-of-bounds write

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a boundary error when processing CATPART files. A remote attacker can create a specially crafted CATPART file, trick the victim into opening it using the affected software, trigger an out-of-bounds write and execute arbitrary code on the target system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Autodesk AutoCAD: before 2023.1.4

AutoCAD Architecture: before 2023.1.4

AutoCAD Electrical: before 2023.1.4

AutoCAD Map 3D: before 2023.1.4

AutoCAD Mechanical: before 2023.1.4

AutoCAD MEP: before 2023.1.4

AutoCAD Plant 3D: before 2023.1.4

AutoCAD LT: before 2023.1.4

AutoCAD Mac: before 2024.1

AutoCAD Mac LT: before 2024.1

Autodesk Civil 3D: before 2023.1.4

Advance Steel: before 2023.1.4

CPE2.3 External links

http://www.autodesk.com/trust/security-advisories/adsk-sa-2023-0018
http://www.zerodayinitiative.com/advisories/ZDI-23-1438/
http://www.zerodayinitiative.com/advisories/ZDI-23-1437/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Out-of-bounds write

EUVDB-ID: #VU80207

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-29075

CWE-ID: CWE-787 - Out-of-bounds write

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a boundary error when processing PRT files. A remote attacker can create a specially crafted PRT file, trick the victim into opening it using the affected software, trigger an out-of-bounds write and execute arbitrary code on the target system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Autodesk AutoCAD: before 2023.1.4

AutoCAD Architecture: before 2023.1.4

AutoCAD Electrical: before 2023.1.4

AutoCAD Map 3D: before 2023.1.4

AutoCAD Mechanical: before 2023.1.4

AutoCAD MEP: before 2023.1.4

AutoCAD Plant 3D: before 2023.1.4

AutoCAD LT: before 2023.1.4

AutoCAD Mac: before 2024.1

AutoCAD Mac LT: before 2024.1

Autodesk Civil 3D: before 2023.1.4

Advance Steel: before 2023.1.4

CPE2.3 External links

http://www.autodesk.com/trust/security-advisories/adsk-sa-2023-0018
http://www.zerodayinitiative.com/advisories/ZDI-23-1436/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Buffer overflow

EUVDB-ID: #VU80208

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-29076

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when processing MODEL, SLDASM, SAT or CATPART files. A remote attacker can create a specially crafted file, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Autodesk AutoCAD: before 2023.1.4

AutoCAD Architecture: before 2023.1.4

AutoCAD Electrical: before 2023.1.4

AutoCAD Map 3D: before 2023.1.4

AutoCAD Mechanical: before 2023.1.4

AutoCAD MEP: before 2023.1.4

AutoCAD Plant 3D: before 2023.1.4

AutoCAD LT: before 2023.1.4

AutoCAD Mac: before 2024.1

AutoCAD Mac LT: before 2024.1

Autodesk Civil 3D: before 2023.1.4

Advance Steel: before 2023.1.4

CPE2.3 External links

http://www.autodesk.com/trust/security-advisories/adsk-sa-2023-0018
http://www.zerodayinitiative.com/advisories/ZDI-23-1435/
http://www.zerodayinitiative.com/advisories/ZDI-23-1434/
http://www.zerodayinitiative.com/advisories/ZDI-23-1433/
http://www.zerodayinitiative.com/advisories/ZDI-23-1432/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

5) Untrusted pointer dereference

EUVDB-ID: #VU80209

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-41139

CWE-ID: CWE-822 - Untrusted Pointer Dereference

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to untrusted pointer dereference when processing STP files. A remote attacker can create a specially crafted file, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Autodesk AutoCAD: before 2023.1.4

AutoCAD Architecture: before 2023.1.4

AutoCAD Electrical: before 2023.1.4

AutoCAD Map 3D: before 2023.1.4

AutoCAD Mechanical: before 2023.1.4

AutoCAD MEP: before 2023.1.4

AutoCAD Plant 3D: before 2023.1.4

AutoCAD LT: before 2023.1.4

AutoCAD Mac: before 2024.1

AutoCAD Mac LT: before 2024.1

Autodesk Civil 3D: before 2023.1.4

Advance Steel: before 2023.1.4

CPE2.3 External links

http://www.autodesk.com/trust/security-advisories/adsk-sa-2023-0018
http://www.zerodayinitiative.com/advisories/ZDI-23-1440/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

6) Heap-based buffer overflow

EUVDB-ID: #VU80210

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-41140

CWE-ID: CWE-122 - Heap-based Buffer Overflow

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when processing PRT files. A remote attacker can trick the victim to load a specially crafted PRT file, trigger a heap-based buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Autodesk AutoCAD: before 2023.1.4

AutoCAD Architecture: before 2023.1.4

AutoCAD Electrical: before 2023.1.4

AutoCAD Map 3D: before 2023.1.4

AutoCAD Mechanical: before 2023.1.4

AutoCAD MEP: before 2023.1.4

AutoCAD Plant 3D: before 2023.1.4

AutoCAD LT: before 2023.1.4

AutoCAD Mac: before 2024.1

AutoCAD Mac LT: before 2024.1

Autodesk Civil 3D: before 2023.1.4

Advance Steel: before 2023.1.4

CPE2.3 External links

http://www.autodesk.com/trust/security-advisories/adsk-sa-2023-0018
http://www.zerodayinitiative.com/advisories/ZDI-23-1442/
http://www.zerodayinitiative.com/advisories/ZDI-23-1441/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###