Autodesk ID: ADSK-SA-2024-0007
Product, Service, Component: XZ
Impact: Embedded Malicious Code
Severity: High
Original Publish: 4/8/2024
Last Revised: 4/8/2024
| Severity | CVSS Score | Impact |
|---|---|---|
| Low | 0.1 - 3.9 | A vulnerability where scope and impact of exploitation is restricted and the ability to exploit is extremely difficult. |
| Medium | 4.0 - 6.9 | A vulnerability where exploitation is mitigated by factors such as difficulty to exploit, default configuration or ease of identification. |
| High | 7.0 - 8.9 | A vulnerability, which if exploited, would directly impact the confidentiality, integrity or availability of user's data or processing resources. |
| Critical | 9.0 - 10 | A vulnerability, which if exploited, would allow remote execution of malicious code without user action. |
No versions of Autodesk Products are currently affected by this CVE.
Autodesk is aware of the XZ security vulnerabilities. We have protection and defense strategies in place to identify and remediate any impacted Autodesk products, services or systems should the need arise. Our investigation confirmed that all potentially vulnerable Autodesk products have been mitigated and currently no Autodesk products are affected by this vulnerability.
On the Open Source Security List, it was disclosed that someone intentionally planted a backdoor in the compression software. Malicious code added to XZ Utils versions 5.6.0 and 5.6.1 modified the way the software functions when performing operations related to lzma compression or decompression. When these functions involved SSH, they allowed for malicious code to be executed with root privileges.NVD also published the CVE on 3/29 (CVE-2024-3094), listing it as "modified".
It should be noted that the attack only works because Debian and Redhat added functionality to sshd that is not present in it as distributed by its developers. The extra functionality adds systemd interaction, which requires libsystemd, which requires liblzma, a component of the (compromised) XZ package.
The details of the vulnerability is as follows:
CVE-2024-3094 - Malicious code was discovered in the upstream tarballs of XZ, starting with version 5.6.0. Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting, and modifying the data interaction.
Item: Autodesk FBX Review
Impacted Versions: 1.5.3.0
Mitigated Versions: 1.5.4.0
Update Source: Autodesk FBX-Review
*Note: Product list table contents subject to change.
While Autodesk products are not currently affected by this vulnerability and no mitigation actions are necessary with respect to Autodesk product implementations, we recommend that customers check for vulnerable versions of XZ utils, 5.6.0 and 5.6.1, within their own environments and downgrade to a non-vulnerable version such as XZ Utils 5.4.6, as recommended by CISA: https://www.cisa.gov/news-events/alerts/2024/03/29/reported-supply-chain-compromise-affecting-xz-utils-data-compression-library-cve-2024-3094.
Revision: 1.0
Date: 4/8/2024
Description: Initial Release of the Security Advisory
INFORMATION IN THIS DOCUMENT IS PROVIDED “AS IS” IN CONNECTION WITH AUTODESK PRODUCTS. AUTODESK AND/OR ITS RESPECTIVE SUBSIDIARIES, AFFILIATES, SUPPLIERS AND LICENSORS AND ITS AND THEIR DIRECTORS, OFFICERS, EMPLOYEES, AGENTS AND REPRESENTATIVES MAKE NO REPRESENTATIONS ABOUT THE SITE, ANY PRODUCTS AND SERVICES CONTAINED ON THE SITE OR THE SUITABILITY OF THE INFORMATION CONTAINED IN THE MATERIALS, INFORMATION, CONTENT, DOCUMENTS, AND RELATED GRAPHICS PUBLISHED ON THIS SITE FOR ANY PURPOSE. THE SITE, ANY PRODUCTS OR SERVICES (INCLUDING WITHOUT LIMITATION, THIRD PARTY PRODUCTS AND SERVICES) OBTAINED THROUGH THE SITE, AND ALL SUCH INFORMATION, CONTENT, DOCUMENTS, AND RELATED GRAPHICS ARE PROVIDED FOR YOUR USE AT YOUR OWN RISK AND "AS IS" WITHOUT WARRANTY OF ANY KIND. AUTODESK AND/OR ITS RESPECTIVE SUBSIDIARIES, AFFILIATES, SUPPLIERS AND LICENSORS HEREBY DISCLAIM ALL WARRANTIES AND CONDITIONS WITH REGARD TO THIS SITE, SUCH PRODUCTS AND SERVICES AND SUCH INFORMATION, CONTENT, DOCUMENTS, AND RELATED GRAPHICS, INCLUDING ALL IMPLIED WARRANTIES AND CONDITIONS OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, AND NON-INFRINGEMENT.
