Autodesk, Inc Information for VU#732760
Autodesk Backburner Manager contains a stack-based buffer overflow vulnerability
- Vendor Information Help Date Notified: 09 Dec 2015
- Statement Date: 25 Mar 2016
- Date Updated: 28 Mar 2016
We have reviewed the submission below and determined that its not an issue.The discovered issue is not applicable as the product port (http) is not meant to be used on an internet facing connection. Deployment of the product service is intranet only. The product is also in maintenance release only and has been for over a year. The port (http) is used to monitor running jobs. There is no sensitive data there and the discovered issue of a possible DDOS means the service would be unavailable at most (though this isn’t a internet deployed service as mentioned above.)
We are not aware of further vendor information regarding this vulnerability.
The following points should be considered with respect to the above statement:
• The Backburner Manager process is not an HTTP service. It is a command line interface that can be connected to directly (e.g. telnet).
• Backburner Manager has been observed to listen on multiple ports, though in a default configuration, port 3234 is specified.
• The manner in which Backburner is deployed almost certainly varies by user, regardless of the intentions of the vendor. Users should be aware that it permits the execution of arbitrary code by design (CVE-2007-4749).
• The buffer overflow vulnerability (CVE-2016-2344) may be leveraged to terminate the Backburner service (a denial-of-service condition, not distributed). Code execution is possible, but does not grant any additional advantage to an attacker because of CVE-2007-4749.
If you have feedback, comments, or additional information about this vulnerability, please send us email.