Patch Now! Adobe Stager Flaws Leak Memory, Run Rogue Code

Adobe has released a crucial security update that rectifies six vulnerabilities in its Substance 3D Stager product. If exploited successfully, these vulnerabilities could lead to memory leaks and arbitrary code execution.

Substance 3D Stager is a cutting-edge tool for crafting 3D scenes, boasting real-time visualization and high-quality rendering capabilities.

At the time of this update’s release, none of the vulnerabilities resolved by Adobe were widely known. It appears that they had not been exploited in actual attacks either.

A detailed list of the rectified vulnerabilities is available below. These vulnerabilities have been assigned the following identifiers: CVE-2024-20710, CVE-2024-20711, CVE-2024-20712, CVE-2024-20713, CVE-2024-20714, CVE-2024-20715.

The vulnerabilities classified as “Out-of-bounds” or “Buffer Overflow” allow a remote attacker to gain access to potentially confidential information. These vulnerabilities arise due to an error in checking boundary conditions. A remote attacker can craft a specific file that, when opened by the victim, triggers a buffer overflow error and reads the system’s memory.

The vulnerability CVE-2024-20713, classified under “Improper Input Validation”, enables a remote attacker to access a compromised machine. This vulnerability is caused by insufficient validation of user-entered data. The remote attacker can deceive a user into opening a specially crafted malicious file, subsequently gaining control over the system and executing arbitrary code.

Versions of Substance 3D Stager for Windows and macOS earlier than 2.1.3 are susceptible to these vulnerabilities. To mitigate any risks, it is recommended to upgrade to the secure version number 2.1.4 if this has not already occurred automatically.