CVE-2023-29273 – Adobe Substance 3D Painter versions 8.3.0 and e... (How to Fix)

Q: What is the severity of CVE-2023-29273?

CVE-2023-29273 has a CVSS score of 7.8 (HIGH). Adobe Substance 3D Painter versions 8.3.0 and earlier contain an out-of-bounds read vulnerability when parsing malicious files. This could allow attackers to execute arbitrary code with the privileges of the current user. Users who open untrusted files with vulnerable versions are affected.

📋 TL;DR

Adobe Substance 3D Painter versions 8.3.0 and earlier contain an out-of-bounds read vulnerability when parsing malicious files. This could allow attackers to execute arbitrary code with the privileges of the current user. Users who open untrusted files with vulnerable versions are affected.

💻 Affected Systems

Products:

Adobe Substance 3D Painter

Versions: 8.3.0 and earlier

Operating Systems: Windows, macOS, Linux

Default Config Vulnerable: ⚠️ Yes

Notes: All installations of affected versions are vulnerable when opening files.

📦 What is this software?

Substance 3d Painter by Adobe

View all CVEs affecting Substance 3d Painter →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise through remote code execution, allowing attackers to install malware, steal data, or pivot to other systems.

🟠

Likely Case

Local privilege escalation leading to data theft, ransomware deployment, or persistence mechanisms installation.

🟢

If Mitigated

Application crash or denial of service if memory protections prevent code execution.

🌐 Internet-Facing: LOW - Exploitation requires user interaction to open malicious files, not directly network exploitable.

🏢 Internal Only: MEDIUM - Internal users could be targeted via phishing or shared malicious files, but requires user interaction.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires user interaction (opening malicious file) and bypassing memory protections.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 8.3.1 or later

Vendor Advisory: https://helpx.adobe.com/security/products/substance3d_painter/apsb23-29.html

Restart Required: Yes

Instructions:

1. Open Adobe Substance 3D Painter. 2. Go to Help > Check for Updates. 3. Install version 8.3.1 or later. 4. Restart the application.

🔧 Temporary Workarounds

Restrict file opening

all

Only open files from trusted sources and disable automatic file opening features.

Application sandboxing

all

Run Substance 3D Painter in a sandboxed environment to limit potential damage.

🧯 If You Can't Patch

Implement application whitelisting to prevent execution of malicious payloads
Use endpoint detection and response (EDR) to monitor for suspicious file parsing behavior

🔍 How to Verify

Check if Vulnerable:

Check Help > About in Substance 3D Painter - if version is 8.3.0 or earlier, you are vulnerable.

Check Version:

On Windows: Check application properties or registry. On macOS: Check app info. On Linux: Check package version.

Verify Fix Applied:

Verify version is 8.3.1 or later in Help > About and test opening known safe files.

📡 Detection & Monitoring

Log Indicators:

Application crashes with memory access violations
Unexpected file parsing errors

Network Indicators:

Unusual outbound connections after file opening
File downloads from untrusted sources

SIEM Query:

Process:substance3dpainter.exe AND (EventID:1000 OR EventID:1001) OR FileHash matches known malicious hashes

📊 Metadata

CVE ID: CVE-2023-29273

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-125

Published: May 11, 2023

Last Updated: November 21, 2024

🔗 References

https://helpx.adobe.com/security/products/substance3d_painter/apsb23-29.html Vendor Advisory
https://helpx.adobe.com/security/products/substance3d_painter/apsb23-29.html Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-29273, you might also want to check these: