40 Zero-Day Vulnerabilities Found in Autodesk AutoCAD
Autodesk AutoCAD, a widely used CAD software across engineering, architecture, and manufacturing industries, has been found to contain 40 zero-day vulnerabilities. These flaws, if exploited, could potentially allow attackers to execute arbitrary code, compromising sensitive data and disrupting operations dependent on the software.
These vulnerabilities serve as potential gateways for attackers, allowing them to execute code in the context of the current process when a user unwittingly visits a malicious page or opens a compromised file. The vulnerabilities identified, with CVE identifiers including CVE-2024-0446, CVE-2024-23120, CVE-2024-23121, CVE-2024-23122, CVE-2024-23123 and CVE-2024-23124, cover a spectrum of maliciously crafted files including STP, CATPART, 3DM, MODEL, SLDPRT, SLDASM, IGS, and more. These files, when parsed through Autodesk AutoCAD, can lead to dire consequences such as Out-of-Bound Writes, Stack-based Overflows, Heap-based Overflows, Memory Corruption, User-After-Free, and Dereferencing Untrusted Pointers.
Affected Products
Item |
Impacted Versions |
---|---|
Autodesk AutoCAD |
2024, 2023, 2022, 2021 |
Autodesk AutoCAD Architecture |
2024, 2023, 2022, 2021 |
Autodesk AutoCAD Electrical |
2024, 2023, 2022, 2021 |
Autodesk AutoCAD Map 3D |
2024, 2023, 2022, 2021 |
Autodesk AutoCAD Mechanical |
2024, 2023, 2022, 2021 |
Autodesk AutoCAD MEP |
2024, 2023, 2022, 2021 |
Autodesk AutoCAD Plant 3D |
2024, 2023, 2022, 2021 |
Autodesk AutoCAD LT |
2024, 2023, 2022, 2021 |
Autodesk Civil 3D |
2024, 2023, 2022, 2021 |
Autodesk Advance Steel |
2024, 2023, 2022, 2021 |
Autodesk, acknowledging the gravity of these findings, has committed to issuing fixes in an upcoming release. The vulnerabilities, intricate in their nature, can lead to crashes, unauthorized reading and writing of sensitive data, and, most alarmingly, the execution of arbitrary code that could compromise the security and privacy of the operations conducted through AutoCAD.
Despite the severity, the silver lining is that these vulnerabilities require user interaction for exploitation, which somewhat mitigates the risk, reflected in a CVSS severity rating of 7.8. The Zero Day Initiative (ZDI) suggests limiting interaction with AutoCAD applications as a mitigation strategy, though this is far from a viable solution for many businesses and organizations reliant on AutoCAD for their day-to-day operations. Other interim steps include:
- Avoid using the import feature
- Disable imports by renaming acTranslators.exe in the AutoCAD install folder. This disables imports of the following file-types: 3dm, abc, CATPart, iges, igs, model, prt, sldasm, sldprt, step, sstp, x_t
- Import files from trusted sources only