Vulnerabilities > CVE-2024-3094 - Unspecified vulnerability in Tukaani XZ 5.6.0/5.6.1
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library.
Vulnerable Configurations
Part | Description | Count |
---|---|---|
Application | 2 |
Related news
- Urgent: Secret Backdoor Found in XZ Utils Library, Impacts Major Linux Distros (source)
- Malicious Code in XZ Utils for Linux Systems Enables Remote Code Execution (source)
- New XZ backdoor scanner detects implant in any Linux binary (source)
- XZ Utils Supply Chain Attack: A Threat Actor Spent Two Years to Implement a Linux Backdoor (source)
References
- http://www.openwall.com/lists/oss-security/2024/03/29/10
- http://www.openwall.com/lists/oss-security/2024/03/29/10
- http://www.openwall.com/lists/oss-security/2024/03/29/12
- http://www.openwall.com/lists/oss-security/2024/03/29/12
- http://www.openwall.com/lists/oss-security/2024/03/29/4
- http://www.openwall.com/lists/oss-security/2024/03/29/4
- http://www.openwall.com/lists/oss-security/2024/03/29/5
- http://www.openwall.com/lists/oss-security/2024/03/29/5
- http://www.openwall.com/lists/oss-security/2024/03/29/8
- http://www.openwall.com/lists/oss-security/2024/03/29/8
- http://www.openwall.com/lists/oss-security/2024/03/30/12
- http://www.openwall.com/lists/oss-security/2024/03/30/12
- http://www.openwall.com/lists/oss-security/2024/03/30/27
- http://www.openwall.com/lists/oss-security/2024/03/30/27
- http://www.openwall.com/lists/oss-security/2024/03/30/36
- http://www.openwall.com/lists/oss-security/2024/03/30/36
- http://www.openwall.com/lists/oss-security/2024/03/30/5
- http://www.openwall.com/lists/oss-security/2024/03/30/5
- http://www.openwall.com/lists/oss-security/2024/04/16/5
- http://www.openwall.com/lists/oss-security/2024/04/16/5
- https://access.redhat.com/security/cve/CVE-2024-3094
- https://access.redhat.com/security/cve/CVE-2024-3094
- https://ariadne.space/2024/04/02/the-xz-utils-backdoor-is-a-symptom-of-a-larger-problem/
- https://ariadne.space/2024/04/02/the-xz-utils-backdoor-is-a-symptom-of-a-larger-problem/
- https://arstechnica.com/security/2024/03/backdoor-found-in-widely-used-linux-utility-breaks-encrypted-ssh-connections/
- https://arstechnica.com/security/2024/03/backdoor-found-in-widely-used-linux-utility-breaks-encrypted-ssh-connections/
- https://aws.amazon.com/security/security-bulletins/AWS-2024-002/
- https://aws.amazon.com/security/security-bulletins/AWS-2024-002/
- https://blog.netbsd.org/tnf/entry/statement_on_backdoor_in_xz
- https://blog.netbsd.org/tnf/entry/statement_on_backdoor_in_xz
- https://boehs.org/node/everything-i-know-about-the-xz-backdoor
- https://boehs.org/node/everything-i-know-about-the-xz-backdoor
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068024
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068024
- https://bugs.gentoo.org/928134
- https://bugs.gentoo.org/928134
- https://bugzilla.redhat.com/show_bug.cgi?id=2272210
- https://bugzilla.redhat.com/show_bug.cgi?id=2272210
- https://bugzilla.suse.com/show_bug.cgi?id=1222124
- https://bugzilla.suse.com/show_bug.cgi?id=1222124
- https://discourse.nixos.org/t/cve-2024-3094-malicious-code-in-xz-5-6-0-and-5-6-1-tarballs/42405
- https://discourse.nixos.org/t/cve-2024-3094-malicious-code-in-xz-5-6-0-and-5-6-1-tarballs/42405
- https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27
- https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27
- https://github.com/advisories/GHSA-rxwq-x6h5-x525
- https://github.com/advisories/GHSA-rxwq-x6h5-x525
- https://github.com/amlweems/xzbot
- https://github.com/amlweems/xzbot
- https://github.com/karcherm/xz-malware
- https://github.com/karcherm/xz-malware
- https://gynvael.coldwind.pl/?lang=en&id=782
- https://gynvael.coldwind.pl/?lang=en&id=782
- https://lists.debian.org/debian-security-announce/2024/msg00057.html
- https://lists.debian.org/debian-security-announce/2024/msg00057.html
- https://lists.freebsd.org/archives/freebsd-security/2024-March/000248.html
- https://lists.freebsd.org/archives/freebsd-security/2024-March/000248.html
- https://lwn.net/Articles/967180/
- https://lwn.net/Articles/967180/
- https://news.ycombinator.com/item?id=39865810
- https://news.ycombinator.com/item?id=39865810
- https://news.ycombinator.com/item?id=39877267
- https://news.ycombinator.com/item?id=39877267
- https://news.ycombinator.com/item?id=39895344
- https://news.ycombinator.com/item?id=39895344
- https://openssf.org/blog/2024/03/30/xz-backdoor-cve-2024-3094/
- https://openssf.org/blog/2024/03/30/xz-backdoor-cve-2024-3094/
- https://research.swtch.com/xz-script
- https://research.swtch.com/xz-script
- https://research.swtch.com/xz-timeline
- https://research.swtch.com/xz-timeline
- https://security.alpinelinux.org/vuln/CVE-2024-3094
- https://security.alpinelinux.org/vuln/CVE-2024-3094
- https://security.archlinux.org/CVE-2024-3094
- https://security.archlinux.org/CVE-2024-3094
- https://security.netapp.com/advisory/ntap-20240402-0001/
- https://security.netapp.com/advisory/ntap-20240402-0001/
- https://security-tracker.debian.org/tracker/CVE-2024-3094
- https://security-tracker.debian.org/tracker/CVE-2024-3094
- https://tukaani.org/xz-backdoor/
- https://tukaani.org/xz-backdoor/
- https://twitter.com/debian/status/1774219194638409898
- https://twitter.com/debian/status/1774219194638409898
- https://twitter.com/infosecb/status/1774595540233167206
- https://twitter.com/infosecb/status/1774595540233167206
- https://twitter.com/infosecb/status/1774597228864139400
- https://twitter.com/infosecb/status/1774597228864139400
- https://twitter.com/LetsDefendIO/status/1774804387417751958
- https://twitter.com/LetsDefendIO/status/1774804387417751958
- https://ubuntu.com/security/CVE-2024-3094
- https://ubuntu.com/security/CVE-2024-3094
- https://www.cisa.gov/news-events/alerts/2024/03/29/reported-supply-chain-compromise-affecting-xz-utils-data-compression-library-cve-2024-3094
- https://www.cisa.gov/news-events/alerts/2024/03/29/reported-supply-chain-compromise-affecting-xz-utils-data-compression-library-cve-2024-3094
- https://www.darkreading.com/vulnerabilities-threats/are-you-affected-by-the-backdoor-in-xz-utils
- https://www.darkreading.com/vulnerabilities-threats/are-you-affected-by-the-backdoor-in-xz-utils
- https://www.kali.org/blog/about-the-xz-backdoor/
- https://www.kali.org/blog/about-the-xz-backdoor/
- https://www.openwall.com/lists/oss-security/2024/03/29/4
- https://www.openwall.com/lists/oss-security/2024/03/29/4
- https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users
- https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users
- https://www.tenable.com/blog/frequently-asked-questions-cve-2024-3094-supply-chain-backdoor-in-xz-utils
- https://www.tenable.com/blog/frequently-asked-questions-cve-2024-3094-supply-chain-backdoor-in-xz-utils
- https://www.theregister.com/2024/03/29/malicious_backdoor_xz/
- https://www.theregister.com/2024/03/29/malicious_backdoor_xz/
- https://www.vicarius.io/vsociety/vulnerabilities/cve-2024-3094
- https://www.vicarius.io/vsociety/vulnerabilities/cve-2024-3094
- https://xeiaso.net/notes/2024/xz-vuln/
- https://xeiaso.net/notes/2024/xz-vuln/