Autodesk ID: ADSK-SA-2019-0003
Product, Service, Component: Autodesk® FBX Software Development Kit
Impact: Arbitrary code execution
Severity: High
Original Publish: 30/10/2019
Last Revised: 30/10/2019
| Severity | CVSS Score | Impact |
|---|---|---|
| Low | 0.1 - 3.9 | A vulnerability where scope and impact of exploitation is restricted and the ability to exploit is extremely difficult. |
| Medium | 4.0 - 6.9 | A vulnerability where exploitation is mitigated by factors such as difficulty to exploit, default configuration or ease of identification. |
| High | 7.0 - 8.9 | A vulnerability, which if exploited, would directly impact the confidentiality, integrity or availability of user's data or processing resources. |
| Critical | 9.0 - 10 | A vulnerability, which if exploited, would allow remote execution of malicious code without user action. |
FBX is affected by a buffer overflow vulnerability which may lead to arbitrary code execution on a system running it. A Security Fix is available via the Autodesk Knowledge Network.
The details of the vulnerability are as follows:
CVE-2019-7366: A user may be tricked into opening a malicious FBX file which may exploit a buffer overflow vulnerability in FBX’s SDK causing it to run arbitrary code on the system.
Item: FBX-SDK
Impacted Versions: 2019.5
Mitigated Versions: 2020.0
Update Source: FBX SDK 2020.0
*Note: Product list table contents subject to change.
Autodesk highly recommends that customers of the affected products obtain and apply the latest Security Fix for their products via the Autodesk Knowledge Network. For third party developers who use the FBX-SDK in their applications or services, Autodesk highly recommends they obtain and apply the latest version of the FBX-SDK from the update source listed above.
Autodesk was made aware of this vulnerability by a third-party security researcher, along with a second vulnerability, that reported against one of our sample/tutorial codes and not the production FBX 2019.5 Software Development Kit. It was related to example sample code not catching an exception; however, the SDK does the correct thing here: it throws an exception. The sample code is not intended to be production code and should not be used as such – to this end, it poses no risk to production environments.
The following CVE has been reserved as a result of the remediation activities. Details regarding the CVE are available here: https://cve.mitre.org
CVE-2019-7366: FBX Buffer Overflow Vulnerability
Revision: 1.0
Date: 30/10/2019
Description: Initial Release
INFORMATION IN THIS DOCUMENT IS PROVIDED “AS IS” IN CONNECTION WITH AUTODESK PRODUCTS. AUTODESK AND/OR ITS RESPECTIVE SUBSIDIARIES, AFFILIATES, SUPPLIERS AND LICENSORS AND ITS AND THEIR DIRECTORS, OFFICERS, EMPLOYEES, AGENTS AND REPRESENTATIVES MAKE NO REPRESENTATIONS ABOUT THE SITE, ANY PRODUCTS AND SERVICES CONTAINED ON THE SITE OR THE SUITABILITY OF THE INFORMATION CONTAINED IN THE MATERIALS, INFORMATION, CONTENT, DOCUMENTS, AND RELATED GRAPHICS PUBLISHED ON THIS SITE FOR ANY PURPOSE. THE SITE, ANY PRODUCTS OR SERVICES (INCLUDING WITHOUT LIMITATION, THIRD PARTY PRODUCTS AND SERVICES) OBTAINED THROUGH THE SITE, AND ALL SUCH INFORMATION, CONTENT, DOCUMENTS, AND RELATED GRAPHICS ARE PROVIDED FOR YOUR USE AT YOUR OWN RISK AND "AS IS" WITHOUT WARRANTY OF ANY KIND. AUTODESK AND/OR ITS RESPECTIVE SUBSIDIARIES, AFFILIATES, SUPPLIERS AND LICENSORS HEREBY DISCLAIM ALL WARRANTIES AND CONDITIONS WITH REGARD TO THIS SITE, SUCH PRODUCTS AND SERVICES AND SUCH INFORMATION, CONTENT, DOCUMENTS, AND RELATED GRAPHICS, INCLUDING ALL IMPLIED WARRANTIES AND CONDITIONS OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, AND NON-INFRINGEMENT.
