Autodesk FBX|¶à¸öÇå¾²Îó²îͨ¸æ

Ðû²¼Ê±¼ä 2020-04-24

0x00 Îó²î¸ÅÊö



²úÆ·

CVE ID

Àà ÐÍ

Îó²îÆ·¼¶

Ô¶³ÌʹÓÃ

Autodesk FBX-SDK <= 2019.0

CVE-2020-7080

BO

¸ßΣ

·ñ

CVE-2020-7081

TC

¸ßΣ

·ñ

CVE-2020-7082

UAF

¸ßΣ

·ñ

CVE-2020-7083

IO

ÖÐΣ

·ñ

CVE-2020-7084

NPD

ÖÐΣ

·ñ

Autodesk FBX-SDK <= 2019.2

CVE-2020-7085

HO

¸ßΣ

·ñ


0x01 Îó²îÏêÇé


ÈËÉú¾ÍÊDz©-×ðÁú¿­Ê±Öйú¹ÙÍø

Autodesk FBX-SDKÊÇÃÀ¹úÅ·ÌØ¿Ë£¨Autodesk£©¹«Ë¾µÄÒ»¿îC++Èí¼þ¿ª·¢Æ½Ì¨ºÍAPI¹¤¾ß°ü£¬ £¬£¬ËüÖ÷ÒªÓÃÓÚ½«ÏÖÓÐÄÚÈÝת»»ÎªFBXÃûÌᣡ£¡£ ¡£¡£

4ÔÂ15ÈÕ£¬ £¬£¬Autodesk¹Ù·½Ðû²¼Í¨¸æÅúעʹÓÃFBX-SDK <= 2020.0°æ±¾µÄÓ¦ÓóÌÐòºÍЧÀÍ¿ÉÄÜ»áÊܵ½»º³åÇøÒç³ö£¬ £¬£¬ÀàÐÍ»ìÏý£¬ £¬£¬ÊͷźóÖØÓ㬠£¬£¬ÕûÊýÒç³ö£¬ £¬£¬¿ÕÖ¸Õë½âÒýÓúͶÑÒç³öÎó²îµÄÓ°Ïì¡£¡£¡£ ¡£¡£Îó²îÏêϸÐÅÏ¢ÈçÏ£º

CVE-2020-7080 ÊÇAutodesk FBX-SDK»º³åÇøÒç³öÎó²î¡£¡£¡£ ¡£¡£¹¥»÷Õß¿ÉÄÜ»áÓÕÆ­Óû§·­¿ªÒ»¸ö¶ñÒâFBXÎļþ£¬ £¬£¬µ¼ÖÂÔÚϵͳÉÏÖ´ÐÐí§Òâ´úÂë¡£¡£¡£ ¡£¡£CVSSÆÀ·Ö7.8¡£¡£¡£ ¡£¡£

CVE-2020-7081 ÊÇAutodesk FBX-SDKÀàÐÍ»ìÏýÎó²î¡£¡£¡£ ¡£¡£¹¥»÷Õß¿ÉÄÜ»áÓÕÆ­Óû§·­¿ªÒ»¸ö¶ñÒâFBXÎļþ£¬ £¬£¬µ¼ÖÂÆä¶ÁÈ¡/дÈëÔ½½çÄÚ´æλÖûòÔÚϵͳÉÏÔËÐÐí§Òâ´úÂ룬 £¬£¬»òÕßµ¼Ö¾ܾøЧÀÍ¡£¡£¡£ ¡£¡£CVSSÆÀ·Ö8.8¡£¡£¡£ ¡£¡£

CVE-2020-7082 ÊÇAutodesk FBX-SDKÊͷźóÖØÓÃÎó²î¡£¡£¡£ ¡£¡£¹¥»÷Õß¿ÉÄÜ»áÓÕÆ­Óû§·­¿ªÒ»¸ö¶ñÒâFBXÎļþ£¬ £¬£¬µ¼Ö¸ÃÓ¦ÓóÌÐòÒýÓÃÓÉδ¾­ÊÚȨµÄµÚÈý·½¿ØÖƵÄÄÚ´æλÖ㬠£¬£¬ÔÚϵͳÉÏÔËÐÐí§Òâ´úÂë¡£¡£¡£ ¡£¡£CVSSÆÀ·Ö8.8¡£¡£¡£ ¡£¡£

CVE-2020-7083 ÊÇAutodesk FBX-SDKÕûÊýÒç³öÎó²î¡£¡£¡£ ¡£¡£¹¥»÷Õß¿ÉÄÜ»áÓÕÆ­Óû§·­¿ªÒ»¸ö¶ñÒâFBXÎļþ£¬ £¬£¬Ê¹Ó¦ÓóÌÐòÍ߽⵼Ö¾ܾøЧÀÍ¡£¡£¡£ ¡£¡£CVSSÆÀ·Ö6.5¡£¡£¡£ ¡£¡£

CVE-2020-7084 ÊÇAutodesk FBX-SDK ¿ÕÖ¸Õë½âÒýÓÃÎó²î¡£¡£¡£ ¡£¡£¹¥»÷Õß¿ÉÄÜ»áÓÕÆ­Óû§·­¿ªÒ»¸ö¶ñÒâFBXÎļþ£¬ £¬£¬Ê¹Ó¦ÓóÌÐòÍ߽⵼Ö¾ܾøЧÀÍ¡£¡£¡£ ¡£¡£CVSSÆÀ·Ö5.5¡£¡£¡£ ¡£¡£

CVE-2020-7085 ÊÇAutodesk FBX-SDK ¶ÑÒç³öÎó²î¡£¡£¡£ ¡£¡£¹¥»÷Õß¿ÉÄÜ»áÓÕÆ­Óû§·­¿ªÒ»¸ö¶ñÒâFBXÎļþ£¬ £¬£¬¸ÃÎļþ½«Í¨¹ý¸ü¸ÄFBXÎļþÖеÄijЩֵÀ´Å²ÓÃÓжÑÒç³öÎó²îµÄFBXÆÊÎöÆ÷À´»ñÈ¡ÓÐÏ޵ĴúÂëÖ´ÐУ¬ £¬£¬´Ó¶øµ¼ÖÂÔÚϵͳÉÏÔËÐÐí§Òâ´úÂë¡£¡£¡£ ¡£¡£CVSSÆÀ·Ö7.8¡£¡£¡£ ¡£¡£


0x02 ´¦Öóͷ£½¨Òé


ÏÖÔÚ³§ÉÌÒÑÐû²¼Éý¼¶²¹¶¡ÒÔÐÞ¸´Îó²î£¬ £¬£¬²¹¶¡»ñÈ¡Á´½Ó£º

https://www.autodesk.com/trust/security-advisories/adsk-sa-2020-0002


0x03 Ïà¹ØÐÂÎÅ


https://www.securityweek.com/microsoft-out-band-advisory-addresses-autodesk-fbx-vulnerabilities


0x04 ²Î¿¼Á´½Ó


https://www.autodesk.com/trust/security-advisories/adsk-sa-2020-0002

https://nvd.nist.gov/vuln/detail/CVE-2020-7080

https://nvd.nist.gov/vuln/detail/CVE-2020-7081

https://nvd.nist.gov/vuln/detail/CVE-2020-7082

https://nvd.nist.gov/vuln/detail/CVE-2020-7083

https://nvd.nist.gov/vuln/detail/CVE-2020-7084

https://nvd.nist.gov/vuln/detail/CVE-2020-7085


0x05 ʱ¼äÏß


2020-04-15 Autodesk¹Ù·½Ðû²¼Îó²î

2020-04-24 VSRCÐû²¼Îó²îͨ¸æ


ÈËÉú¾ÍÊDz©-×ðÁú¿­Ê±Öйú¹ÙÍø