Autodesk FBX SDK

Plan Patch7.8ICS-CERT ICSA-23-073-02Mar 29, 2023

Attack VectorLocal

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

Autodesk FBX SDK and products using it are affected by multiple vulnerabilities (CWE-125 out-of-bounds read, CWE-416 use-after-free, CWE-787 out-of-bounds write) that could lead to code execution or denial of service. The vulnerabilities are triggered when processing specially crafted FBX model files. FBX SDK versions 2020 and earlier are affected. Luxion KeyShot versions 11.3 and earlier are affected.

What this means

What could happen

An attacker could achieve code execution or crash engineering workstations and CAD systems by sending a malicious FBX 3D model file. This could disrupt design workflows, compromise credentials on workstations used for control system design, or prevent access to critical design and configuration files.

Who's at risk

Engineering and CAD workstations using Luxion KeyShot or any software built on Autodesk FBX SDK for 3D modeling. This affects design firms, manufacturers using CAD for control system design, and any organization where engineers work with 3D models or visualizations. The risk is elevated for utilities and manufacturers where the same workstations may be used to design or configure industrial control systems.

How it could be exploited

An attacker creates a malicious FBX 3D model file with crafted binary data that triggers a memory vulnerability (out-of-bounds read/write or use-after-free). When an engineer opens the file in KeyShot or any application using vulnerable FBX SDK, the malicious code executes with the privileges of that user. If that workstation is used for control system design or engineering, the attacker gains access to the engineering environment.

Prerequisites

User interaction required: engineer must open a malicious FBX file
Affected application must use vulnerable FBX SDK library
User running the application has local system access (typical for engineering workstations)

user interaction required to exploitlow complexity attackaffects engineering workstations that may have access to OT networksmultiple memory corruption vulnerabilities

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (2)

2 with fix

ProductAffected VersionsFix Status

FBX SDK:≤ 20202020.3.2

Luxion KeyShot:≤ 11.32023.1

Remediation & Mitigation

0/5

Do now

0/2

WORKAROUNDRestrict email attachments and file transfers to block FBX files from external sources; only allow FBX files from trusted internal design sources

HARDENINGTrain users not to open FBX files from untrusted sources

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Luxion KeyShot to version 2023.1 or later

HOTFIXUpdate Autodesk FBX SDK to version 2020.3.2 or later via the Autodesk Desktop App

Long-term hardening

0/1

HARDENINGImplement network segmentation to isolate engineering workstations from operational technology networks

CVEs (3)

CVE-2022-41302 CVE-2022-41303 CVE-2022-41304

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/1a32482e-1d8e-4eda-83ca-00beb1cc812d