CVE-2020-6148

Vulnerability

A heap-based buffer overflow vulnerability exists in Pixar OpenUSD version 20.05 when parsing compressed sections in binary USD files. Specifically, the FIELDSETS section decompression routine in crateFile.cpp fails to properly validate bounds, leading to a heap overflow. The vulnerability is present in the USDC file format and is triggered when the file format version is 4 or higher, as sections are compressed. Affected versions include Pixar OpenUSD 20.05 and potentially earlier versions that support compressed sections. [1]

Exploitation

An attacker can exploit this vulnerability by crafting a malicious USD binary file with a specially compressed FIELDSETS section. The victim must open the file using an application that relies on OpenUSD, such as Apple's ModelIO framework on macOS or iOS. On macOS, USD files are automatically processed to generate thumbnails, requiring no user interaction beyond viewing the file in Finder. On iOS, user interaction (e.g., opening an iMessage attachment) is needed. No authentication or network access is required beyond delivering the file. [1]

Impact

Successful exploitation allows an attacker to achieve remote code execution in the context of the application processing the file. Given the CVSSv3 score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), the impact is high across confidentiality, integrity, and availability. The attacker gains the ability to execute arbitrary code, potentially leading to full system compromise. [1]

Mitigation

As of the publication date (2020-11-13), no official patch was available from Pixar. Users are advised to avoid opening untrusted USD files from unknown sources. Apple may have addressed this through OS updates for macOS and iOS that update the ModelIO framework. Check for security updates from Pixar and Apple. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of the knowledge cutoff. [1]