CVE-2021-27027
📋 TL;DR
An out-of-bounds read vulnerability in Autodesk FBX Review version 1.5.0 and earlier allows attackers to execute arbitrary code or disclose sensitive information by tricking users into opening maliciously crafted DLL files. This affects all users of FBX Review 1.5.0 and prior versions.
💻 Affected Systems
- Autodesk FBX Review
📦 What is this software?
Fbx Review by Autodesk
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution with SYSTEM/administrator privileges leading to complete system compromise, data theft, and lateral movement.
Likely Case
Local privilege escalation or information disclosure when users open malicious FBX files containing crafted DLLs.
If Mitigated
Limited to information disclosure or denial of service if proper application sandboxing and user privilege restrictions are in place.
🎯 Exploit Status
Exploitation requires user interaction (opening malicious file). Multiple ZDI advisories suggest weaponization is likely.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.5.1 or later
Vendor Advisory: https://www.autodesk.com/trust/security-advisories/adsk-sa-2021-0001
Restart Required: Yes
Instructions:
1. Download FBX Review 1.5.1 or later from Autodesk website. 2. Uninstall previous version. 3. Install updated version. 4. Restart system.
🔧 Temporary Workarounds
Restrict DLL loading
windowsUse Windows policies to restrict DLL loading from untrusted locations
Use Windows AppLocker or Software Restriction Policies to block DLL execution from user-writable directories
User awareness training
allTrain users to only open FBX files from trusted sources
🧯 If You Can't Patch
- Uninstall FBX Review if not required for business operations
- Implement application whitelisting to prevent execution of malicious DLLs
🔍 How to Verify
Check if Vulnerable:
Check FBX Review version in Help > About. If version is 1.5.0 or earlier, system is vulnerable.Check Version:
Check application version in Help > About menu or via Windows Add/Remove ProgramsVerify Fix Applied:
Verify version is 1.5.1 or later in Help > About menu.📡 Detection & Monitoring
Log Indicators:
- Windows Event Logs showing DLL loading errors
- Application crashes in FBX Review
- Unusual process creation from FBX Review
Network Indicators:
- Unusual outbound connections from FBX Review process
SIEM Query:
Process Creation where Image contains 'fbxreview.exe' AND ParentImage contains 'explorer.exe' AND CommandLine contains '.dll'🔗 References
- https://www.autodesk.com/trust/security-advisories/adsk-sa-2021-0001
- https://www.zerodayinitiative.com/advisories/ZDI-21-469/
- https://www.zerodayinitiative.com/advisories/ZDI-21-470/
- https://www.zerodayinitiative.com/advisories/ZDI-21-471/
- https://www.zerodayinitiative.com/advisories/ZDI-21-472/
- https://www.zerodayinitiative.com/advisories/ZDI-21-473/
- https://www.autodesk.com/trust/security-advisories/adsk-sa-2021-0001
- https://www.zerodayinitiative.com/advisories/ZDI-21-469/
- https://www.zerodayinitiative.com/advisories/ZDI-21-470/
- https://www.zerodayinitiative.com/advisories/ZDI-21-471/
- https://www.zerodayinitiative.com/advisories/ZDI-21-472/
- https://www.zerodayinitiative.com/advisories/ZDI-21-473/
