CVE-2020-13494

Vulnerability

Pixar OpenUSD version 20.05 contains a heap overflow vulnerability in the parsing of compressed string tokens within binary USD files [1]. The TOKENS section of a USD file includes an LZ4 compressed buffer containing an array of C-style strings. The parsing code reads a numTokens value and uncompressed size, then decompresses the buffer. A malformed file can specify an incorrect uncompressed size, leading to a heap overflow when the decompressed data exceeds the allocated buffer. This vulnerability is reachable when a victim opens a specially crafted USD file. OpenUSD is used in Apple's ModelIO framework on macOS and iOS, where USD files are automatically processed for thumbnails or shared via iMessage.

Exploitation

An attacker can exploit this vulnerability by providing a malicious USD file to a victim. No authentication or special network position is required; the victim only needs to open the file (e.g., by viewing a thumbnail or opening an attachment). The parsing code in the TOKENS section triggers a heap overflow due to insufficient validation of the compressed buffer size, resulting in out-of-bounds memory access [1].

Impact

Successful exploitation leads to information disclosure, as the out-of-bounds read can leak heap memory contents. This could bypass security mitigations and aid further exploitation. The CVSSv3 score is 4.3 (Low), indicating limited impact on confidentiality with no impact on integrity or availability [1].

Mitigation

As of the publication date (2020-12-02), no official fix has been released for this vulnerability in Pixar OpenUSD 20.05 [1]. Users should avoid opening USD files from untrusted sources. It is recommended to monitor the OpenUSD project for updates and apply any patches when available. Apple may have addressed this in subsequent OS updates, but no specific advisory is referenced.