CVE-2022-42938: 
Autodesk Design Review vulnerability analysis and mitigation

A memory corruption vulnerability exists in Autodesk Design Review's TGA file processing functionality. The vulnerability (CVE-2022-42938) was discovered and disclosed on October 21, 2022. When a maliciously crafted TGA file is processed through the DesignReview.exe application, it can lead to memory corruption due to an improper bounds check. The vulnerability affects multiple versions of Autodesk Design Review including versions 2018, 2017, 2013, 2012, and 2011 (NVD, AttackerKB).

The vulnerability is caused by an out-of-bounds read vulnerability that exists in the decoding of Truevision Targa (TGA) files in Autodesk Design Review. Specifically, when processing a malformed TGA file, the application performs an improper bounds check leading to an out-of-bounds read memory access. The vulnerability has been assigned a CVSS v3 base score of 7.8 (High), with attack vector being Local, requiring user interaction, but no privileges (AttackerKB).

If successfully exploited, this vulnerability could allow an attacker to leak sensitive information within the context of the application. The vulnerability, when combined with other vulnerabilities, could potentially lead to code execution in the context of the current process (Fortinet).

Autodesk has released security patches to address this vulnerability. Users of Autodesk Design Review 2018 and earlier versions are strongly recommended to download and install the security hotfix (Hotfix 5) available through the Autodesk Knowledge Network. Customers using Design Review 2013 or earlier versions need to upgrade to version 2018 or later (Autodesk Advisory).

The vulnerability was discovered and reported by Kushal Arvind Shah of Fortinet's FortiGuard Labs. In response to the discovery, Fortinet released an IPS signature named 'Autodesk.Design.Review.CVE-2022-42938.Memory.Corruption' to proactively protect their customers (Fortinet).