CVE-2024-23138 & 23139: Autodesk Patches Critical Flaws in Popular Design Software

CVE-2024-23138 and CVE-2024-23139

Autodesk, a leader in the design and engineering software industry, has released critical security updates for several popular applications. These patches address two vulnerabilities (CVE-2024-23138 and CVE-2024-23139) that could have severe consequences for users of affected software versions.

CVE-2024-23138: The DWG Danger

Exploiting the first vulnerability, a malicious actor could embed harmful code within a seemingly innocuous DWG file (the standard format for many Autodesk products). When opened in a vulnerable version of DWG TrueView or other affected Autodesk software, the malicious code could potentially:

  • Crash the Application: Disrupting workflows and potentially allowing further attacks.
  • Steal Sensitive Data: Exposing design assets, project information, or personal user data.
  • Take Over Systems: In extreme cases, cybercriminals could execute arbitrary code on the user’s machine, leading to a full system compromise.

CVE-2024-23139: Manipulating Flash Files

The second vulnerability targets the Autodesk FBX Review application specifically. By crafting a malicious Flash file (ActionScript Byte Code – ABC), an attacker could achieve similar results as with the DWG exploit. The vulnerability could be chained with others for greater impact and control over the victim’s system.

Affected Software and Mitigation Steps

Autodesk has published a comprehensive list of affected and patched versions. Users of impacted products should immediately apply the latest updates. These are typically available through:

  • Autodesk App Store
  • The built-in update mechanisms within the affected software
  • Autodesk’s official website for specific product hotfixes

Who Should Be Concerned?

  • Designers, Architects, and Engineers: Autodesk products are widely used in industries where sensitive intellectual property is created and stored.
  • Businesses Relying on Autodesk Software: Supply chains and collaborative projects can be disrupted if partners use vulnerable software versions.
  • Individuals Opening Design Files: Even casual usage of affected programs for viewing DWG or FBX files could pose a risk.