Autodesk FBX|¶à¸öÇå¾²Îó²îͨ¸æ

Ðû²¼Ê±¼ä 2020-04-24

0x00 Îó²î¸ÅÊö



²úÆ·

CVE ID

Àà ÐÍ

Îó²îÆ·¼¶

Ô¶³ÌʹÓÃ

Autodesk FBX-SDK <= 2019.0

CVE-2020-7080

BO

¸ßΣ

·ñ

CVE-2020-7081

TC

¸ßΣ

·ñ

CVE-2020-7082

UAF

¸ßΣ

·ñ

CVE-2020-7083

IO

ÖÐΣ

·ñ

CVE-2020-7084

NPD

ÖÐΣ

·ñ

Autodesk FBX-SDK <= 2019.2

CVE-2020-7085

HO

¸ßΣ

·ñ


0x01 Îó²îÏêÇé


¼øºÚµ£±£Íø(jhdbw)¡¤×î¾ßȨÍþΨһάȨµ£±£Æ½Ì¨

Autodesk FBX-SDKÊÇÃÀ¹úÅ·ÌØ¿Ë£¨Autodesk£©¹«Ë¾µÄÒ»¿îC++Èí¼þ¿ª·¢Æ½Ì¨ºÍAPI¹¤¾ß°ü£¬£¬£¬ËüÖ÷ÒªÓÃÓÚ½«ÏÖÓÐÄÚÈÝת»»ÎªFBXÃûÌᣡ£¡£ ¡£¡£

4ÔÂ15ÈÕ£¬£¬£¬Autodesk¹Ù·½Ðû²¼Í¨¸æÅúעʹÓÃFBX-SDK <= 2020.0°æ±¾µÄÓ¦ÓóÌÐòºÍЧÀÍ¿ÉÄÜ»áÊܵ½»º³åÇøÒç³ö£¬£¬£¬ÀàÐÍ»ìÏý£¬£¬£¬ÊͷźóÖØÓ㬣¬£¬ÕûÊýÒç³ö£¬£¬£¬¿ÕÖ¸Õë½âÒýÓúͶÑÒç³öÎó²îµÄÓ°Ïì¡£¡£¡£ ¡£¡£Îó²îÏêϸÐÅÏ¢ÈçÏ£º

CVE-2020-7080 ÊÇAutodesk FBX-SDK»º³åÇøÒç³öÎó²î¡£¡£¡£ ¡£¡£¹¥»÷Õß¿ÉÄÜ»áÓÕÆ­Óû§·­¿ªÒ»¸ö¶ñÒâFBXÎļþ£¬£¬£¬µ¼ÖÂÔÚϵͳÉÏÖ´ÐÐí§Òâ´úÂë¡£¡£¡£ ¡£¡£CVSSÆÀ·Ö7.8¡£¡£¡£ ¡£¡£

CVE-2020-7081 ÊÇAutodesk FBX-SDKÀàÐÍ»ìÏýÎó²î¡£¡£¡£ ¡£¡£¹¥»÷Õß¿ÉÄÜ»áÓÕÆ­Óû§·­¿ªÒ»¸ö¶ñÒâFBXÎļþ£¬£¬£¬µ¼ÖÂÆä¶ÁÈ¡/дÈëÔ½½çÄÚ´æλÖûòÔÚϵͳÉÏÔËÐÐí§Òâ´úÂ룬£¬£¬»òÕßµ¼Ö¾ܾøЧÀÍ¡£¡£¡£ ¡£¡£CVSSÆÀ·Ö8.8¡£¡£¡£ ¡£¡£

CVE-2020-7082 ÊÇAutodesk FBX-SDKÊͷźóÖØÓÃÎó²î¡£¡£¡£ ¡£¡£¹¥»÷Õß¿ÉÄÜ»áÓÕÆ­Óû§·­¿ªÒ»¸ö¶ñÒâFBXÎļþ£¬£¬£¬µ¼Ö¸ÃÓ¦ÓóÌÐòÒýÓÃÓÉδ¾­ÊÚȨµÄµÚÈý·½¿ØÖƵÄÄÚ´æλÖ㬣¬£¬ÔÚϵͳÉÏÔËÐÐí§Òâ´úÂë¡£¡£¡£ ¡£¡£CVSSÆÀ·Ö8.8¡£¡£¡£ ¡£¡£

CVE-2020-7083 ÊÇAutodesk FBX-SDKÕûÊýÒç³öÎó²î¡£¡£¡£ ¡£¡£¹¥»÷Õß¿ÉÄÜ»áÓÕÆ­Óû§·­¿ªÒ»¸ö¶ñÒâFBXÎļþ£¬£¬£¬Ê¹Ó¦ÓóÌÐòÍ߽⵼Ö¾ܾøЧÀÍ¡£¡£¡£ ¡£¡£CVSSÆÀ·Ö6.5¡£¡£¡£ ¡£¡£

CVE-2020-7084 ÊÇAutodesk FBX-SDK ¿ÕÖ¸Õë½âÒýÓÃÎó²î¡£¡£¡£ ¡£¡£¹¥»÷Õß¿ÉÄÜ»áÓÕÆ­Óû§·­¿ªÒ»¸ö¶ñÒâFBXÎļþ£¬£¬£¬Ê¹Ó¦ÓóÌÐòÍ߽⵼Ö¾ܾøЧÀÍ¡£¡£¡£ ¡£¡£CVSSÆÀ·Ö5.5¡£¡£¡£ ¡£¡£

CVE-2020-7085 ÊÇAutodesk FBX-SDK ¶ÑÒç³öÎó²î¡£¡£¡£ ¡£¡£¹¥»÷Õß¿ÉÄÜ»áÓÕÆ­Óû§·­¿ªÒ»¸ö¶ñÒâFBXÎļþ£¬£¬£¬¸ÃÎļþ½«Í¨¹ý¸ü¸ÄFBXÎļþÖеÄijЩֵÀ´Å²ÓÃÓжÑÒç³öÎó²îµÄFBXÆÊÎöÆ÷À´»ñÈ¡ÓÐÏ޵ĴúÂëÖ´ÐУ¬£¬£¬´Ó¶øµ¼ÖÂÔÚϵͳÉÏÔËÐÐí§Òâ´úÂë¡£¡£¡£ ¡£¡£CVSSÆÀ·Ö7.8¡£¡£¡£ ¡£¡£


0x02 ´¦Öóͷ£½¨Òé


ÏÖÔÚ³§ÉÌÒÑÐû²¼Éý¼¶²¹¶¡ÒÔÐÞ¸´Îó²î£¬£¬£¬²¹¶¡»ñÈ¡Á´½Ó£º

https://www.autodesk.com/trust/security-advisories/adsk-sa-2020-0002


0x03 Ïà¹ØÐÂÎÅ


https://www.securityweek.com/microsoft-out-band-advisory-addresses-autodesk-fbx-vulnerabilities


0x04 ²Î¿¼Á´½Ó


https://www.autodesk.com/trust/security-advisories/adsk-sa-2020-0002

https://nvd.nist.gov/vuln/detail/CVE-2020-7080

https://nvd.nist.gov/vuln/detail/CVE-2020-7081

https://nvd.nist.gov/vuln/detail/CVE-2020-7082

https://nvd.nist.gov/vuln/detail/CVE-2020-7083

https://nvd.nist.gov/vuln/detail/CVE-2020-7084

https://nvd.nist.gov/vuln/detail/CVE-2020-7085


0x05 ʱ¼äÏß


2020-04-15 Autodesk¹Ù·½Ðû²¼Îó²î

2020-04-24 VSRCÐû²¼Îó²îͨ¸æ


¼øºÚµ£±£Íø(jhdbw)¡¤×î¾ßȨÍþΨһάȨµ£±£Æ½Ì¨