CVE-2019-7365: 
Autodesk Desktop Application vulnerability analysis and mitigation

DLL preloading vulnerability (CVE-2019-7365) affects Autodesk Desktop Application versions 7.0.16.29 and earlier. The vulnerability allows an attacker to trick a user into downloading a malicious DLL file into the working directory, which can then be leveraged to execute code on the system (Autodesk Advisory, NVD).

The vulnerability exists in the Autodesk desktop application (AdAppMgrSvc.exe), which runs with NT AUTHORITY\SYSTEM privileges. The issue stems from a missing DLL call made by an accompanying library, combined with a lack of digital certificate validation. This allows for the loading of arbitrary, unsigned DLLs. The vulnerability has been assigned a CVSS v3.1 base score of 7.8 (HIGH) with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H (NVD, ZDNET).

If exploited, the vulnerability allows an attacker to operate with NT AUTHORITY\SYSTEM privileges, which is the most powerful user in Windows. This enables access to almost every file and process belonging to the user on the computer. The vulnerability can be used for privilege escalation and arbitrary code execution (ZDNET).

Autodesk released a patch for CVE-2019-7365 on November 27, 2019. Users are highly recommended to apply the latest update for Autodesk Desktop Application (ADA) by clicking the update button on the application. The vulnerability is fixed in versions after 7.0.16.29 (ZDNET, Autodesk Advisory).

The vulnerability was discovered and reported by SafeBreach Labs in July 2019. Autodesk acknowledged the bug and issued a CVE number, responding with a patch release in November 2019 (SecurityWeek).