CVE-2023-41139

Q: What is the severity of CVE-2023-41139?

CVE-2023-41139 has a CVSS score of 7.8 (HIGH). A maliciously crafted STP file can trigger an untrusted pointer dereference vulnerability in Autodesk AutoCAD 2024 and 2023. This could allow an attacker to execute arbitrary code in the context of the current AutoCAD process. Users who open untrusted STP files with affected AutoCAD versions are at risk.

7.8 HIGH

Remote Code Execution

📋 TL;DR

A maliciously crafted STP file can trigger an untrusted pointer dereference vulnerability in Autodesk AutoCAD 2024 and 2023. This could allow an attacker to execute arbitrary code in the context of the current AutoCAD process. Users who open untrusted STP files with affected AutoCAD versions are at risk.

💻 Affected Systems

Products:

Autodesk AutoCAD

Versions: 2024 and 2023 versions

Operating Systems: Windows, macOS

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability is present when parsing STP files; other AutoCAD versions may be affected but not listed in this CVE.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full remote code execution with the privileges of the AutoCAD user, potentially leading to system compromise, data theft, or lateral movement.

🟠

Likely Case

Application crash (denial of service) or limited code execution within AutoCAD's process context.

🟢

If Mitigated

No impact if untrusted STP files are not opened or if the patch is applied.

🌐 Internet-Facing: LOW - Exploitation requires user interaction to open a malicious file, not directly internet-exposed.

🏢 Internal Only: MEDIUM - Risk exists if users open untrusted STP files from internal sources like email attachments or network shares.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires user interaction to open a malicious STP file; no public exploit code is known at this time.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check Autodesk Security Advisory ADSK-SA-2023-0018 for specific patched versions

Vendor Advisory: https://www.autodesk.com/trust/security-advisories/adsk-sa-2023-0018

Restart Required: Yes

Instructions:

1. Open Autodesk Desktop App or AutoCAD. 2. Check for updates. 3. Install the latest security update from Autodesk. 4. Restart AutoCAD after installation.

🔧 Temporary Workarounds

Block STP file extensions

windows

Prevent AutoCAD from opening .stp files via group policy or application settings.

User awareness training

all

Educate users not to open STP files from untrusted sources.

🧯 If You Can't Patch

Restrict user permissions to limit damage from potential code execution.
Use application whitelisting to prevent unauthorized executables from running.

🔍 How to Verify

Check if Vulnerable:

Check AutoCAD version against affected versions (2024, 2023) in the vendor advisory.

Check Version:

In AutoCAD, go to Help > About or type 'ABOUT' in command line.

Verify Fix Applied:

Verify AutoCAD version is updated to a patched version listed in Autodesk Security Advisory ADSK-SA-2023-0018.

📡 Detection & Monitoring

Log Indicators:

Application crashes in AutoCAD when opening STP files
Unusual process creation from AutoCAD

Network Indicators:

Downloads of STP files from untrusted sources

SIEM Query:

EventID=1000 (Application Error) with AutoCAD in Source or Process Name

📊 Metadata

CVE ID: CVE-2023-41139

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-822

Published: November 23, 2023

Last Updated: November 21, 2024

🔗 References

https://www.autodesk.com/trust/security-advisories/adsk-sa-2023-0018 Vendor Advisory
https://www.autodesk.com/trust/security-advisories/adsk-sa-2023-0018 Vendor Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Autocad by Autodesk

Autocad by Autodesk

Autocad by Autodesk

Autocad Advance Steel by Autodesk

Autocad Advance Steel by Autodesk

Autocad Architecture by Autodesk

Autocad Architecture by Autodesk

Autocad Civil 3d by Autodesk

Autocad Civil 3d by Autodesk

Autocad Electrical by Autodesk

Autocad Electrical by Autodesk

Autocad Lt by Autodesk

Autocad Lt by Autodesk

Autocad Lt by Autodesk

Autocad Map 3d by Autodesk

Autocad Map 3d by Autodesk

Autocad Mechanical by Autodesk

Autocad Mechanical by Autodesk

Autocad Mep by Autodesk

Autocad Mep by Autodesk

Autocad Plant 3d by Autodesk

Autocad Plant 3d by Autodesk

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Block STP file extensions

User awareness training

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities