Download

Security problem with .fbx files - remote code execution - UNREAL is affected

Hello,

Microsoft recently announced there is a security problem with Autodesk’s .fbx format : https://www.forbes.com/sites/daveywi…/#3a0043674750

You can find more details here : https://www.autodesk.com/trust/secur…k-sa-2020-0002

I would like to know if Epic’s products are affected, including Quixel’s ones. I already asked both Tim Sweeney & the Unreal Engine account on Twitter, but they did not answer.

Hello, can anyone from Epic answer?

Did you read the article?
It clearly says that this is a Microsoft problem.

“In order to exploit these vulnerabilities in a 3D attack scenario, the attacker would need to send maliciously created files containing 3D content that a user would have to open.”
If you open it within Unreal, chances are whatever malicious code won’t be executed by the PC.
If you use windows to open the file, then I’m not exactly sure what you are doing in the first place or why it is linked to Unreal.

If it was a Microsoft problem you wouldn’t have Autodesk listing their software and the FBX SDK as vulnerable. As far as I can tell UE4 is using the SDK.

Curious if turning on System -> Performance -> DEP for UE4, would help?
That and unplugging from the net when loading ‘unknown sourced’ FBX etc.
Many attacks just open doors to payloads that still have to be downloaded.
It’d be useful to know if entire malware can be embedded into the fbx or not?

Unreal uses FBX SDK 2018.1.1 (as of 4.24.3) so yes it is affected. Do not open any untrusted FBX files, i.e. ones you didn’t export yourself.

To fix it, the engine would need to be upgraded to use FBX SDK 2020.

I ask you the same question : did you read the article?

It does not say this is a Microsoft-only problem. It says this is a problem with Autodesk’s .fbx files, and Microsoft is affected because they use Autodesk’s code to read .fbx files in some of their softwares.
Unreal also reads .fbx files, however I don’t know if it uses Autodesk’s code for this, so I don’t know if it is affected by this problem.

As @UntamedLoli said :
“If it was a Microsoft problem you wouldn’t have Autodesk listing their software and the FBX SDK as vulnerable. As far as I can tell UE4 is using the SDK.”

EDIT : @Zeblote confirmed Unreal is affected.

Thank you. :slight_smile:

Do you know if Epic is aware? I will report the issue here, no-one did it yet.

First of: something needs to run the file with some sort of access.
If, for instance, you load an FBX in Maya or Blender, then this could potentially be possible.

However - and I know because I developed my own FBX writing plugin - both Blender and Unreal write and read only specific parts of the FBX file and ignore whatever they do not recognize.

So, it’s very likely that whatever the exploit with the memory overflow is is not an issue at all for either Blender - using the Import, or Unreal.

If Autodesk made a test file to check if the vulnerability is triggered this could even be tested.
It is entirely possible that importing into blender is a valid way to strip away the bad code. It all depends on where the code is injected.

Answer from the Epic bug submission team :

aaa.PNG

Assumptions are the mother of all f**k-ups dude. :stuck_out_tongue:

Right now there are skilled techs in NK / China / Russia etc looking for zero-days in the replacement code. This is never ending whac-a-mole… :wink: