CVE-2024-20677

EUVD-2024-18392

09.01.2024, 18:15

A security vulnerability exists in FBX that could lead to remote code execution. To mitigate this vulnerability, the ability to insert FBX files has been disabled in Word, Excel, PowerPoint and Outlook for Windows and Mac. Versions of Office that had this feature enabled will no longer have access to it. This includes Office 2019, Office 2021, Office LTSC for Mac 2021, and Microsoft 365. As of February 13, 2024, the ability to insert FBX files has also been disabled in 3D Viewer.
3D models in Office documents that were previously inserted from a FBX file will continue to work as expected unless the Link to File option was chosen at insert time.
This change is effective as of the January 9, 2024 security update.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
microsoft	CNA	7.8 HIGH	LOCAL	LOW	NONE	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 60%

Affected Products (NVD)

Vendor	Product	Version
microsoft	365_apps	-
microsoft	365_apps	𝑥 < 2312
microsoft	office	𝑥 < 2312

𝑥

= Vulnerable software versions

Early Detection

Affected products identified ahead of NVD analysis through intelligence sources.

Vendor	Product	Version	Source
microsoft	3d_viewer	7.0.0 ≤ 𝑥 < 7.2401.29012.0	CNA
microsoft	3d_viewer	16.0.1 ≤ 𝑥 < 16.81.24011420	CNA

Common Weakness Enumeration

CWE-122 - Heap-based Buffer Overflow
A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().

References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-20677