CVE-2022-42934: 
Autodesk Design Review vulnerability analysis and mitigation

A memory corruption vulnerability exists in Autodesk Design Review when processing maliciously crafted .dwf or .pct files through the DesignReview.exe application. The vulnerability is caused by a write access violation that occurs when consuming these files (Autodesk Advisory, NVD). The vulnerability was discovered in October 2022 and affects Autodesk Design Review versions 2018, 2017, 2013, 2012, and 2011.

The vulnerability is identified as a memory corruption issue triggered by write access violation when processing specially crafted .dwf or .pct files. When exploited in conjunction with other vulnerabilities, it could lead to code execution in the context of the current process. The vulnerability has been assigned a CVSS v3 Base Score of 7.8 (High), with attack vector being Local, attack complexity Low, requiring user interaction, and no privileges required (AttackerKB).

If successfully exploited, this vulnerability could allow an attacker to execute arbitrary code within the context of the current process. The vulnerability affects the confidentiality, integrity, and availability of the system with High impact scores for each category (AttackerKB).

Autodesk has released security patches to address this vulnerability. Users of Autodesk Design Review 2018 and earlier versions are strongly recommended to download and install the security hotfix (Hotfix 5) available through the Autodesk Knowledge Network. Users of Design Review 2013 or earlier versions need to upgrade to version 2018 or later (Autodesk Advisory).

The vulnerability was discovered and reported by Kushal Arvind Shah of Fortinet's FortiGuard Labs, who also discovered several other related vulnerabilities in Autodesk products. Fortinet has released an IPS signature named Autodesk.Design.Review.CVE-2022-42934.Remote.Code.Execution to protect their customers (FortiGuard Labs).