Autodesk FBX|¶à¸öÇå¾²Îó²îͨ¸æ

Ðû²¼Ê±¼ä 2020-04-24

0x00 Îó²î¸ÅÊö



²úÆ·

CVE ID

Àà ÐÍ

Îó²îÆ·¼¶

Ô¶³ÌʹÓÃ

Autodesk FBX-SDK <= 2019.0

CVE-2020-7080

BO

¸ßΣ

·ñ

CVE-2020-7081

TC

¸ßΣ

·ñ

CVE-2020-7082

UAF

¸ßΣ

·ñ

CVE-2020-7083

IO

ÖÐΣ

·ñ

CVE-2020-7084

NPD

ÖÐΣ

·ñ

Autodesk FBX-SDK <= 2019.2

CVE-2020-7085

HO

¸ßΣ

·ñ


0x01 Îó²îÏêÇé


ÄϹ¬NGÓéÀÖ(Öйú)¹Ù·½ÍøÕ¾

Autodesk FBX-SDKÊÇÃÀ¹úÅ·ÌØ¿Ë£¨Autodesk£©¹«Ë¾µÄÒ»¿îC++Èí¼þ¿ª·¢Æ½Ì¨ºÍAPI¹¤¾ß°ü£¬ £¬£¬£¬£¬ËüÖ÷ÒªÓÃÓÚ½«ÏÖÓÐÄÚÈÝת»»ÎªFBXÃûÌᣡ£¡£¡£¡£

4ÔÂ15ÈÕ£¬ £¬£¬£¬£¬Autodesk¹Ù·½Ðû²¼Í¨¸æÅúעʹÓÃFBX-SDK <= 2020.0°æ±¾µÄÓ¦ÓóÌÐòºÍЧÀÍ¿ÉÄÜ»áÊܵ½»º³åÇøÒç³ö£¬ £¬£¬£¬£¬ÀàÐÍ»ìÏý£¬ £¬£¬£¬£¬ÊͷźóÖØÓ㬠£¬£¬£¬£¬ÕûÊýÒç³ö£¬ £¬£¬£¬£¬¿ÕÖ¸Õë½âÒýÓúͶÑÒç³öÎó²îµÄÓ°Ïì¡£¡£¡£¡£¡£Îó²îÏêϸÐÅÏ¢ÈçÏ£º

CVE-2020-7080 ÊÇAutodesk FBX-SDK»º³åÇøÒç³öÎó²î¡£¡£¡£¡£¡£¹¥»÷Õß¿ÉÄÜ»áÓÕÆ­Óû§·­¿ªÒ»¸ö¶ñÒâFBXÎļþ£¬ £¬£¬£¬£¬µ¼ÖÂÔÚϵͳÉÏÖ´ÐÐí§Òâ´úÂë¡£¡£¡£¡£¡£CVSSÆÀ·Ö7.8¡£¡£¡£¡£¡£

CVE-2020-7081 ÊÇAutodesk FBX-SDKÀàÐÍ»ìÏýÎó²î¡£¡£¡£¡£¡£¹¥»÷Õß¿ÉÄÜ»áÓÕÆ­Óû§·­¿ªÒ»¸ö¶ñÒâFBXÎļþ£¬ £¬£¬£¬£¬µ¼ÖÂÆä¶ÁÈ¡/дÈëÔ½½çÄÚ´æλÖûòÔÚϵͳÉÏÔËÐÐí§Òâ´úÂ룬 £¬£¬£¬£¬»òÕßµ¼Ö¾ܾøЧÀÍ¡£¡£¡£¡£¡£CVSSÆÀ·Ö8.8¡£¡£¡£¡£¡£

CVE-2020-7082 ÊÇAutodesk FBX-SDKÊͷźóÖØÓÃÎó²î¡£¡£¡£¡£¡£¹¥»÷Õß¿ÉÄÜ»áÓÕÆ­Óû§·­¿ªÒ»¸ö¶ñÒâFBXÎļþ£¬ £¬£¬£¬£¬µ¼Ö¸ÃÓ¦ÓóÌÐòÒýÓÃÓÉδ¾­ÊÚȨµÄµÚÈý·½¿ØÖƵÄÄÚ´æλÖ㬠£¬£¬£¬£¬ÔÚϵͳÉÏÔËÐÐí§Òâ´úÂë¡£¡£¡£¡£¡£CVSSÆÀ·Ö8.8¡£¡£¡£¡£¡£

CVE-2020-7083 ÊÇAutodesk FBX-SDKÕûÊýÒç³öÎó²î¡£¡£¡£¡£¡£¹¥»÷Õß¿ÉÄÜ»áÓÕÆ­Óû§·­¿ªÒ»¸ö¶ñÒâFBXÎļþ£¬ £¬£¬£¬£¬Ê¹Ó¦ÓóÌÐòÍ߽⵼Ö¾ܾøЧÀÍ¡£¡£¡£¡£¡£CVSSÆÀ·Ö6.5¡£¡£¡£¡£¡£

CVE-2020-7084 ÊÇAutodesk FBX-SDK ¿ÕÖ¸Õë½âÒýÓÃÎó²î¡£¡£¡£¡£¡£¹¥»÷Õß¿ÉÄÜ»áÓÕÆ­Óû§·­¿ªÒ»¸ö¶ñÒâFBXÎļþ£¬ £¬£¬£¬£¬Ê¹Ó¦ÓóÌÐòÍ߽⵼Ö¾ܾøЧÀÍ¡£¡£¡£¡£¡£CVSSÆÀ·Ö5.5¡£¡£¡£¡£¡£

CVE-2020-7085 ÊÇAutodesk FBX-SDK ¶ÑÒç³öÎó²î¡£¡£¡£¡£¡£¹¥»÷Õß¿ÉÄÜ»áÓÕÆ­Óû§·­¿ªÒ»¸ö¶ñÒâFBXÎļþ£¬ £¬£¬£¬£¬¸ÃÎļþ½«Í¨¹ý¸ü¸ÄFBXÎļþÖеÄijЩֵÀ´Å²ÓÃÓжÑÒç³öÎó²îµÄFBXÆÊÎöÆ÷À´»ñÈ¡ÓÐÏ޵ĴúÂëÖ´ÐУ¬ £¬£¬£¬£¬´Ó¶øµ¼ÖÂÔÚϵͳÉÏÔËÐÐí§Òâ´úÂë¡£¡£¡£¡£¡£CVSSÆÀ·Ö7.8¡£¡£¡£¡£¡£


0x02 ´¦Öóͷ£½¨Òé


ÏÖÔÚ³§ÉÌÒÑÐû²¼Éý¼¶²¹¶¡ÒÔÐÞ¸´Îó²î£¬ £¬£¬£¬£¬²¹¶¡»ñÈ¡Á´½Ó£º

https://www.autodesk.com/trust/security-advisories/adsk-sa-2020-0002


0x03 Ïà¹ØÐÂÎÅ


https://www.securityweek.com/microsoft-out-band-advisory-addresses-autodesk-fbx-vulnerabilities


0x04 ²Î¿¼Á´½Ó


https://www.autodesk.com/trust/security-advisories/adsk-sa-2020-0002

https://nvd.nist.gov/vuln/detail/CVE-2020-7080

https://nvd.nist.gov/vuln/detail/CVE-2020-7081

https://nvd.nist.gov/vuln/detail/CVE-2020-7082

https://nvd.nist.gov/vuln/detail/CVE-2020-7083

https://nvd.nist.gov/vuln/detail/CVE-2020-7084

https://nvd.nist.gov/vuln/detail/CVE-2020-7085


0x05 ʱ¼äÏß


2020-04-15 Autodesk¹Ù·½Ðû²¼Îó²î

2020-04-24 VSRCÐû²¼Îó²îͨ¸æ


ÄϹ¬NGÓéÀÖ(Öйú)¹Ù·½ÍøÕ¾