CVE-2024-3094

29.03.2024, 17:15

Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. 
Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	10 CRITICAL	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
redhat	CNA	10 CRITICAL	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CISA-ADP	ADP	---				---
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 99%

Vendor	Product	Version
tukaani	xz	5.6.0
tukaani	xz	5.6.1

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

xz-utils

bullseye (security)	5.2.5-2.1~deb11u1 fixed
bullseye	5.2.5-2.1~deb11u1 not-affected
bookworm	5.4.1-1 not-affected
buster	not-affected
bookworm (security)	5.4.1-1 fixed
sid	5.8.1-1 fixed
trixie	5.8.1-1 fixed

Ubuntu Releases

Ubuntu Product

Codename

xz-utils

noble	not-affected
mantic	not-affected
jammy	not-affected
focal	not-affected
bionic	not-affected
xenial	not-affected
trusty	not-affected

Common Weakness Enumeration

CWE-506 - Embedded Malicious Code
The application contains code that appears to be malicious in nature.

References

https://access.redhat.com/security/cve/CVE-2024-3094

https://bugzilla.redhat.com/show_bug.cgi?id=2272210

https://www.openwall.com/lists/oss-security/2024/03/29/4

https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users

http://www.openwall.com/lists/oss-security/2024/03/29/10

http://www.openwall.com/lists/oss-security/2024/03/29/12

http://www.openwall.com/lists/oss-security/2024/03/29/4

http://www.openwall.com/lists/oss-security/2024/03/29/5

http://www.openwall.com/lists/oss-security/2024/03/29/8

http://www.openwall.com/lists/oss-security/2024/03/30/12

http://www.openwall.com/lists/oss-security/2024/03/30/27

http://www.openwall.com/lists/oss-security/2024/03/30/36

http://www.openwall.com/lists/oss-security/2024/03/30/5

http://www.openwall.com/lists/oss-security/2024/04/16/5

https://access.redhat.com/security/cve/CVE-2024-3094

https://ariadne.space/2024/04/02/the-xz-utils-backdoor-is-a-symptom-of-a-larger-problem/

https://arstechnica.com/security/2024/03/backdoor-found-in-widely-used-linux-utility-breaks-encrypted-ssh-connections/

https://aws.amazon.com/security/security-bulletins/AWS-2024-002/

https://blog.netbsd.org/tnf/entry/statement_on_backdoor_in_xz

https://boehs.org/node/everything-i-know-about-the-xz-backdoor

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068024

https://bugs.gentoo.org/928134

https://bugzilla.redhat.com/show_bug.cgi?id=2272210

https://bugzilla.suse.com/show_bug.cgi?id=1222124

https://discourse.nixos.org/t/cve-2024-3094-malicious-code-in-xz-5-6-0-and-5-6-1-tarballs/42405

https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27

https://github.com/advisories/GHSA-rxwq-x6h5-x525

https://github.com/amlweems/xzbot

https://github.com/karcherm/xz-malware

https://gynvael.coldwind.pl/?lang=en&id=782

https://lists.debian.org/debian-security-announce/2024/msg00057.html

https://lists.freebsd.org/archives/freebsd-security/2024-March/000248.html

https://lwn.net/Articles/967180/

https://news.ycombinator.com/item?id=39865810

https://news.ycombinator.com/item?id=39877267

https://news.ycombinator.com/item?id=39895344

https://openssf.org/blog/2024/03/30/xz-backdoor-cve-2024-3094/

https://research.swtch.com/xz-script

https://research.swtch.com/xz-timeline

https://security-tracker.debian.org/tracker/CVE-2024-3094

https://security.alpinelinux.org/vuln/CVE-2024-3094

https://security.archlinux.org/CVE-2024-3094

https://security.netapp.com/advisory/ntap-20240402-0001/

https://tukaani.org/xz-backdoor/

https://twitter.com/LetsDefendIO/status/1774804387417751958

https://twitter.com/debian/status/1774219194638409898

https://twitter.com/infosecb/status/1774595540233167206

https://twitter.com/infosecb/status/1774597228864139400

https://ubuntu.com/security/CVE-2024-3094

https://www.cisa.gov/news-events/alerts/2024/03/29/reported-supply-chain-compromise-affecting-xz-utils-data-compression-library-cve-2024-3094

https://www.darkreading.com/vulnerabilities-threats/are-you-affected-by-the-backdoor-in-xz-utils

https://www.kali.org/blog/about-the-xz-backdoor/

https://www.openwall.com/lists/oss-security/2024/03/29/4

https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users

https://www.tenable.com/blog/frequently-asked-questions-cve-2024-3094-supply-chain-backdoor-in-xz-utils

https://www.theregister.com/2024/03/29/malicious_backdoor_xz/

https://www.vicarius.io/vsociety/vulnerabilities/cve-2024-3094

https://xeiaso.net/notes/2024/xz-vuln/