CVE-2023-29069
📋 TL;DR
This vulnerability allows attackers to place malicious DLL files in non-default locations, which can then be loaded by affected Autodesk software with elevated privileges. This leads to privilege escalation where attackers can execute arbitrary code with higher permissions. Users of affected Autodesk products on Windows systems are vulnerable.
💻 Affected Systems
- Autodesk AutoCAD
- Autodesk Civil 3D
- Autodesk Advance Steel
- Autodesk Architecture Engineering & Construction Collection
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with administrative privileges, allowing installation of persistent malware, data theft, and lateral movement across the network.
Likely Case
Local privilege escalation enabling attackers to gain higher privileges than their current user account, potentially accessing sensitive files or installing additional malware.
If Mitigated
Limited impact with proper application whitelisting and least privilege principles in place, preventing unauthorized DLL loading.
🎯 Exploit Status
Requires local access to place malicious DLL files; exploitation is straightforward once initial access is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2024.1.2 and later updates
Vendor Advisory: https://www.autodesk.com/trust/security-advisories/adsk-sa-2023-0013
Restart Required: Yes
Instructions:
1. Open Autodesk Desktop App or access Autodesk Account. 2. Check for available updates. 3. Install the latest security update (2024.1.2 or later). 4. Restart the application and system as prompted.
🔧 Temporary Workarounds
Restrict DLL Loading
windowsConfigure Windows to prevent loading of DLLs from untrusted locations using DLL search order hardening.
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager" -Name "CWDIllegalInDllSearch" -Value 0xFFFFFFFF
Application Whitelisting
windowsImplement application control policies to only allow execution of signed, trusted DLLs.
🧯 If You Can't Patch
- Implement least privilege principles: Run Autodesk software with standard user accounts, not administrative privileges.
- Monitor for suspicious DLL file creation in application directories and use endpoint detection to block unauthorized DLL loading.
🔍 How to Verify
Check if Vulnerable:
Check Autodesk product version: if using AutoCAD/Civil 3D/Advance Steel/AEC Collection 2024 or earlier without 2024.1.2 update, system is vulnerable.Check Version:
In AutoCAD: Type "ABOUT" command or check Help > About. In Windows: Check Programs and Features for version details.Verify Fix Applied:
Verify installed version is 2024.1.2 or later through Autodesk product About dialog or control panel.📡 Detection & Monitoring
Log Indicators:
- Windows Event Logs: Security ID 4688 for process creation with suspicious parent-child relationships, Sysmon Event ID 7 (Image loaded) for unexpected DLL loads from non-standard paths.
Network Indicators:
- Unusual outbound connections from Autodesk processes to external IPs, especially following DLL load events.
SIEM Query:
source="windows" EventCode=4688 OR EventCode=7 | where ProcessName contains "acad.exe" OR ProcessName contains "civil3d.exe" | where ImageLoaded contains ".dll" | where ImageLoaded !contains "C:\Program Files\Autodesk"