Microsoft has released a new patch for multiple remote code execution (RCE) vulnerabilities in software that uses the Autodesk FBX library.
According to Microsoft, the RCE vulnerability exists in the Autodesk FBX library that is integrated in Microsoft Office 2019 and Office 365 ProPlus (32 and 64 bit versions).
An excerpt from the Microsoft advisory:
“Remote code execution vulnerabilities exist in Microsoft products that utilize the FBX library when processing specially crafted 3D content. An attacker who successfully exploited these vulnerabilities could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.”
Microsoft
The patch is rated “Important” and corrects the way 3D content is handled by Microsoft software.
Autodesk updates
Readers can also check out the Autodesk security advisory that addresses multiple other products.
Autodesk confirmed that apps/services that use FBX-SDK (Ver. 2020.0 or earlier) can be impacted by buffer overflow, type confusion, use-after-free, integer overflow, NULL pointer dereference, and heap overflow vulnerabilities.
The following CVEs are listed with brief description of each:
- CVE-2020-7080: “A user may be tricked into opening a malicious FBX file which may exploit a buffer overflow vulnerability in FBX’s SDK causing it to run arbitrary code on the system.”
- CVE-2020-7081: “A user may be tricked into opening a malicious FBX file which may exploit a type confusion vulnerability in FBX’s SDK causing it to read/write out-of-bounds memory location or run arbitrary code on the system or lead to denial-of-service.”
- CVE-2020-7082: “A user may be tricked into opening a malicious FBX file which may exploit a use-after-free vulnerability in FBX’s SDK causing the application to reference a memory location controlled by an unauthorized third party, thereby running arbitrary code on the system.”
- CVE-2020-7083: “The user may be tricked into opening a malicious FBX file which may exploit an integer overflow vulnerability in FBX’s SDK causing the application to crash leading to a denial of service.”
- CVE-2020-7084: “The user may be tricked into opening a malicious FBX file which may exploit a Null Pointer Dereference vulnerability in FBX’s SDK causing the application to crash leading to a denial of service.”
- CVE-2020-7085: “The user may be tricked into opening a malicious FBX file which would invoke the heap overflow vulnerable FBX parser to obtain a limited code execution by altering certain values in a FBX file, causing the application to run arbitrary code on the system.”
Additional affected products include: Autodesk AutoCAD, Fusion, FBX-SDK, Maya, Motion Builder, Mudbox, Infraworks and others.