During a recent client engagement, the DGC (DiCicco, Gulman & Company) penetration testing team identified a previously unknown vulnerability affecting the Autodesk Licensing Service, a software component bundled with nearly all licensed Autodesk products. The vulnerability exists in a software component common to most Autodesk products and impacts nearly all organizations using licensed Autodesk software in any capacity. The Common Vulnerabilities and Exposures number is CVE-2021-27032, Autodesk Licensing Service: Local Privilege Escalation.

Because these software products are so widely deployed across the public and private sectors, vulnerabilities in Autodesk products pose a significant risk to many organizations, as Autodesk products are often used to generate and process intellectual property and other sensitive data. While a vulnerability in any one Autodesk product represents a risk to the organizations which happen to be using that specific piece of software, a vulnerability that affects nearly all Autodesk applications is considered a critical issue requiring immediate attention.

Autodesk is a global leader in 3D design and development software, and their products are ubiquitous across many industry verticals, including architecture, engineering, construction, design, and manufacturing. Organizations all over the world rely on Autodesk products, including AutoCAD, to aid in the design, development, and manufacturing of all kinds of products. Additionally, Autodesk software is widely deployed across the defense industrial base and critical infrastructure sectors.

Issue

The issue lies in the default permissions assigned to the Autodesk Licensing Service which runs as a locally privileged operating system account. The default privileges assigned to this service allow any authenticated user to modify the service configuration. This means that any low privileged user can abuse this vulnerable service configuration to execute code in the context of a highly privileged account, resulting in local privilege escalation. As a result, an attacker could then install programs; view, change, or delete (Read more...)