CVE-2024-47437 – Substance3D Painter versions 10.1.0 and earlier... (How to Fix)

Q: What is the severity of CVE-2024-47437?

CVE-2024-47437 has a CVSS score of 5.5 (MEDIUM). Substance3D Painter versions 10.1.0 and earlier contain an out-of-bounds read vulnerability that could allow an attacker to read sensitive memory contents. This could potentially bypass security mitigations like ASLR. Users who open malicious files with affected versions are at risk.

📋 TL;DR

Substance3D Painter versions 10.1.0 and earlier contain an out-of-bounds read vulnerability that could allow an attacker to read sensitive memory contents. This could potentially bypass security mitigations like ASLR. Users who open malicious files with affected versions are at risk.

💻 Affected Systems

Products:

Adobe Substance3D Painter

Versions: 10.1.0 and earlier

Operating Systems: Windows, macOS

Default Config Vulnerable: ⚠️ Yes

Notes: All installations of affected versions are vulnerable by default when opening files.

📦 What is this software?

Substance 3d Painter by Adobe

View all CVEs affecting Substance 3d Painter →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker could read sensitive memory contents, potentially obtaining credentials, encryption keys, or other protected data, and bypass ASLR to enable further exploitation.

🟠

Likely Case

Limited information disclosure from memory, potentially revealing some application data but unlikely to lead to full system compromise without additional vulnerabilities.

🟢

If Mitigated

With proper controls, only non-critical memory data might be exposed, with minimal impact on system security.

🌐 Internet-Facing: LOW - Exploitation requires user interaction to open a malicious file, not directly exploitable over network.

🏢 Internal Only: MEDIUM - Internal users could be tricked into opening malicious files, potentially leading to information disclosure within the organization.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM - Requires crafting a malicious file and convincing user to open it.

Exploitation requires user interaction (opening malicious file). No public exploit code identified.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 10.2.0 or later

Vendor Advisory: https://helpx.adobe.com/security/products/substance3d_painter/apsb24-86.html

Restart Required: Yes

Instructions:

1. Open Substance3D Painter. 2. Go to Help > Check for Updates. 3. Follow prompts to install version 10.2.0 or later. 4. Restart the application.

🔧 Temporary Workarounds

Restrict file opening

all

Only open Substance3D Painter files from trusted sources

Application sandboxing

all

Run Substance3D Painter in a sandboxed environment

🧯 If You Can't Patch

Implement application whitelisting to prevent execution of older vulnerable versions
Educate users about risks of opening untrusted Substance3D Painter files

🔍 How to Verify

Check if Vulnerable:

Open Substance3D Painter, go to Help > About, check if version is 10.1.0 or earlier.

Check Version:

Not applicable - check via application GUI

Verify Fix Applied:

Verify version is 10.2.0 or later in Help > About.

📡 Detection & Monitoring

Log Indicators:

Application crashes when opening files
Unusual memory access patterns in application logs

Network Indicators:

No network indicators - local file exploitation

SIEM Query:

EventID for application crashes from Substance3D Painter process

📊 Metadata

CVE ID: CVE-2024-47437

CVSS v3 Score: 5.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

CWE: CWE-125

Published: November 12, 2024

Last Updated: November 13, 2024

🔗 References

https://helpx.adobe.com/security/products/substance3d_painter/apsb24-86.html Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-47437, you might also want to check these: