CVE-2020-13524

Vulnerability

An out-of-bounds memory corruption vulnerability exists in the way Pixar OpenUSD version 20.05 uses SPECS data from binary USD files. The SPECS section contains three arrays (Path Indexes, FSet Indexes, Spec Types) that are used to reconstruct the scene graph. When parsing a crafted USD file, the software can read or write beyond allocated buffer boundaries, leading to memory corruption. The vulnerability is classified as CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) [2].

Exploitation

To exploit this vulnerability, an attacker must supply a specially crafted malformed USD binary file. The victim needs to access the file, which can occur when the file is opened in applications that use OpenUSD or the ModelIO framework on macOS (e.g., SceneKit, ARKit). On macOS, USD files are automatically rendered to generate thumbnails, which could trigger the vulnerability without explicit user interaction beyond file system access. The attack vector is network-based (AV:N) with low attack complexity (AC:L) and requires user interaction (UI:R) [2].

Impact

Successful exploitation results in out-of-bounds memory access and modification, leading to memory corruption. An attacker can achieve limited impacts on confidentiality, integrity, and availability (C:L/I:L/A:L). The CVSSv3 score is 6.3 [2]. On Apple platforms, this vulnerability may allow a malicious application to execute arbitrary code with system privileges, as indicated by the macOS security advisory [1].

Mitigation

Apple addressed this issue in macOS Big Sur 11.1, Security Update 2020-001 Catalina, and Security Update 2020-007 Mojave, released December 14, 2020, by improving input validation [1]. Users should update their macOS to the latest available version. For other platforms using OpenUSD, upstream fixes should be applied when available. No workarounds are documented in the provided references.