CVE-2020-13497

Vulnerability

Pixar OpenUSD 20.05 contains an out-of-bounds read vulnerability in the parsing of certain encoded types within the String Type Index of the FIELDS section in the USD binary format. A specially crafted malformed file can trigger arbitrary out-of-bounds memory access, leading to information disclosure. The vulnerable versions include OpenUSD 20.05 and Apple macOS Catalina 10.15.3 [1].

Exploitation

An attacker must provide a malformed USD file to a victim. The victim needs to access the file, for example by opening it on macOS (which may automatically generate a thumbnail) or via iMessage on iOS. No special network position or authentication is required; the attack relies solely on victim interaction [1].

Impact

Successful exploitation allows an attacker to perform an out-of-bounds read, resulting in information disclosure. This can bypass security mitigations and aid further exploitation. The CVSSv3 score for this vulnerability is 4.3 (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N) [1].

Mitigation

As of the publication date, no patch has been disclosed in the available references. Users should monitor Pixar for updates and consider upgrading to a version later than 20.05 when a fix becomes available. Until then, avoid opening untrusted USD files [1].