Multiple High-Risk Vulnerabilities on Autodesk Design Review Software
Autodesk is a well-known software company for products in the construction, engineering, and manufacturing industries. It owns AutoCAD, AutoCAD WS, Autodesk Alias, Autodesk Maya, Autodesk Design Review, and other software has a large number of customers all over the world.
On June 14, 2021, Autodesk released the security advisory for Autodesk Design Review software. This security update has fixed 7 vulnerabilities. Attackers can use these vulnerabilities to construct a malicious web page or file to induce users to click, thereby controlling the user’s host.
Autodesk products are usually used on employee office machines on corporate intranets. Attackers usually use social engineering methods to disguise their identities as job applicants and other identities to send files containing malicious code to corporate employees. When corporate employees run the file, the attacker can directly execute arbitrary code on the employee’s host, thereby breaking through the corporate defense strategy and directly invading the corporate office network segment.
Vulnerability Detail
- CVE-2021-27033 – A Double Free vulnerability allows remote attackers to execute arbitrary code on PDF files within affected installations of Autodesk Design Review. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
- CVE-2021-27034 – A heap-based buffer overflow could occur while parsing PICT or TIFF files. This vulnerability can be exploited to execute arbitrary code.
- CVE-2021-27035 – A maliciously crafted TIFF, PDF, PICT or DWF files can be forced to read beyond allocated boundaries when parsing the TIFF, PDF, PICT or DWF files. This vulnerability can be exploited to execute arbitrary code.
- CVE-2021-27036 – A maliciously crafted PDF, PICT, or TIFF file can be used to write beyond the allocated buffer while parsing PDF, PICT, or TIFF files. This vulnerability can be exploited to execute arbitrary code.
- CVE-2021-27037 – A maliciously crafted PNG, PDF or DWF file can be used to attempt to free an object that has already been freed while parsing them. This vulnerability can be exploited by remote attackers to execute arbitrary code.
- CVE-2021-27038 – A Type Confusion vulnerability can occur when processing a maliciously crafted PDF file. An attacker can leverage this to execute arbitrary code.
- CVE-2021-27039 – A maliciously crafted TIFF file can be forced to read and write beyond allocated boundaries when parsing the TIFF file. This vulnerability can be exploited to execute arbitrary code.
In this regard, we recommend that users upgrade Autodesk Design Review software to the latest version in time.