CVE-2021-27040: 
Mitsubishi Electric ICONICS GENESIS64 vulnerability analysis and mitigation

CVE-2021-27040 is a vulnerability affecting multiple Autodesk products, ICONICS GENESIS64, and Mitsubishi Electric MC Works64. The vulnerability was discovered in June 2021 and involves an out-of-bounds read condition when parsing DWG files. The affected products include various versions of Autodesk AutoCAD family products (2019-2022), GENESIS64 (versions up to 10.97), and MC Works64 (up to version 4.04E) (Autodesk Advisory, CISA Advisory).

The vulnerability is characterized by a lack of proper validation of user-supplied data, which can result in a read past the end of an allocated data structure when parsing DWG files. It has been assigned a CVSS v3.1 base score of 3.3 (Low) with the vector string AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N. The vulnerability is classified as CWE-125 (Out-of-bounds Read) (ZDI Advisory, CISA Advisory).

While the vulnerability primarily allows for information disclosure, it can potentially be leveraged in conjunction with other vulnerabilities to execute arbitrary code in the context of the current process. User interaction is required for exploitation, as the target must visit a malicious page or open a malicious file (ZDI Advisory).

Autodesk has released updates to address this vulnerability in various versions of affected products. The recommended versions are 2022.0.1, 2021.1.1, 2020.1.4, and 2019.1.3 for most products in the AutoCAD family. ICONICS has released GENESIS64 Version 10.97.1 to address the vulnerability. Users are advised to update to these patched versions through the Autodesk Desktop App or Accounts Portal (Autodesk Advisory).