CVE Vulnerabilities

CVE-2019-7364

Uncontrolled Search Path Element

Published: Aug 23, 2019 | Modified: Sep 03, 2019
CVSS 3.x
7.8
HIGH
Source:
NVD
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVSS 2.x
6.8 MEDIUM
AV:N/AC:M/Au:N/C:P/I:P/A:P
RedHat/V2
RedHat/V3
Ubuntu

DLL preloading vulnerability in versions 2017, 2018, 2019, and 2020 of Autodesk Advanced Steel, Civil 3D, AutoCAD, AutoCAD LT, AutoCAD Architecture, AutoCAD Electrical, AutoCAD Map 3D, AutoCAD Mechanical, AutoCAD MEP, AutoCAD Plant 3D and version 2017 of AutoCAD P&ID. An attacker may trick a user into opening a malicious DWG file that may leverage a DLL preloading vulnerability in AutoCAD which may result in code execution.

Weakness

The product uses a fixed or controlled search path to find resources, but one or more locations in that path can be under the control of unintended actors.

Affected Software

Name Vendor Start Version End Version
Advance_steel Autodesk 2017 (including) 2017 (including)
Advance_steel Autodesk 2018 (including) 2018 (including)
Advance_steel Autodesk 2019 (including) 2019 (including)
Advance_steel Autodesk 2020 (including) 2020 (including)
Autocad Autodesk 2017 (including) 2017 (including)
Autocad Autodesk 2018 (including) 2018 (including)
Autocad Autodesk 2019 (including) 2019 (including)
Autocad Autodesk 2020 (including) 2020 (including)
Autocad_architecture Autodesk 2017 (including) 2017 (including)
Autocad_architecture Autodesk 2018 (including) 2018 (including)
Autocad_architecture Autodesk 2019 (including) 2019 (including)
Autocad_architecture Autodesk 2020 (including) 2020 (including)
Autocad_electrical Autodesk 2017 (including) 2017 (including)
Autocad_electrical Autodesk 2018 (including) 2018 (including)
Autocad_electrical Autodesk 2019 (including) 2019 (including)
Autocad_electrical Autodesk 2020 (including) 2020 (including)
Autocad_lt Autodesk 2017 (including) 2017 (including)
Autocad_lt Autodesk 2018 (including) 2018 (including)
Autocad_lt Autodesk 2019 (including) 2019 (including)
Autocad_lt Autodesk 2020 (including) 2020 (including)
Autocad_map_3d Autodesk 2017 (including) 2017 (including)
Autocad_map_3d Autodesk 2018 (including) 2018 (including)
Autocad_map_3d Autodesk 2019 (including) 2019 (including)
Autocad_map_3d Autodesk 2020 (including) 2020 (including)
Autocad_mechanical Autodesk 2017 (including) 2017 (including)
Autocad_mechanical Autodesk 2018 (including) 2018 (including)
Autocad_mechanical Autodesk 2019 (including) 2019 (including)
Autocad_mechanical Autodesk 2020 (including) 2020 (including)
Autocad_mep Autodesk 2017 (including) 2017 (including)
Autocad_mep Autodesk 2018 (including) 2018 (including)
Autocad_mep Autodesk 2019 (including) 2019 (including)
Autocad_mep Autodesk 2020 (including) 2020 (including)
Autocad_p&id Autodesk 2017 (including) 2017 (including)
Autocad_plant_3d Autodesk 2017 (including) 2017 (including)
Autocad_plant_3d Autodesk 2018 (including) 2018 (including)
Autocad_plant_3d Autodesk 2019 (including) 2019 (including)
Autocad_plant_3d Autodesk 2020 (including) 2020 (including)
Civil_3d Autodesk 2017 (including) 2017 (including)
Civil_3d Autodesk 2018 (including) 2018 (including)
Civil_3d Autodesk 2019 (including) 2019 (including)
Civil_3d Autodesk 2020 (including) 2020 (including)

Extended Description

Although this weakness can occur with any type of resource, it is frequently introduced when a product uses a directory search path to find executables or code libraries, but the path contains a directory that can be modified by an attacker, such as “/tmp” or the current working directory. In Windows-based systems, when the LoadLibrary or LoadLibraryEx function is called with a DLL name that does not contain a fully qualified path, the function follows a search order that includes two path elements that might be uncontrolled:

In some cases, the attack can be conducted remotely, such as when SMB or WebDAV network shares are used. One or more locations in that path could include the Windows drive root or its subdirectories. This often exists in Linux-based code assuming the controlled nature of the root directory (/) or its subdirectories (/etc, etc), or a code that recursively accesses the parent directory. In Windows, the drive root and some of its subdirectories have weak permissions by default, which makes them uncontrolled. In some Unix-based systems, a PATH might be created that contains an empty element, e.g. by splicing an empty variable into the PATH. This empty element can be interpreted as equivalent to the current working directory, which might be an untrusted search element. In software package management frameworks (e.g., npm, RubyGems, or PyPi), the framework may identify dependencies on third-party libraries or other packages, then consult a repository that contains the desired package. The framework may search a public repository before a private repository. This could be exploited by attackers by placing a malicious package in the public repository that has the same name as a package from the private repository. The search path might not be directly under control of the developer relying on the framework, but this search order effectively contains an untrusted element.

Potential Mitigations

References