10

CVE-2024-3094

Warnung
Medienbericht

Xz: malicious code in distributed source

Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. 
Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
TukaaniXz Version5.6.0
TukaaniXz Version5.6.1
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 85.97% 0.997
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 10 3.9 6
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
secalert@redhat.com 10 3.9 6
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CWE-506 Embedded Malicious Code

The product contains code that appears to be malicious in nature.

https://access.redhat.com/security/cve/CVE-2024-3094
Vendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2272210
Vendor Advisory
Issue Tracking
https://www.openwall.com/lists/oss-security/2024/03/29/4
Mailing List
https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users
Vendor Advisory
http://www.openwall.com/lists/oss-security/2024/03/29/10
http://www.openwall.com/lists/oss-security/2024/03/29/12
http://www.openwall.com/lists/oss-security/2024/03/29/4
http://www.openwall.com/lists/oss-security/2024/03/29/5
http://www.openwall.com/lists/oss-security/2024/03/29/8
http://www.openwall.com/lists/oss-security/2024/03/30/12
http://www.openwall.com/lists/oss-security/2024/03/30/27
http://www.openwall.com/lists/oss-security/2024/03/30/36
http://www.openwall.com/lists/oss-security/2024/03/30/5
http://www.openwall.com/lists/oss-security/2024/04/16/5
https://ariadne.space/2024/04/02/the-xz-utils-backdoor-is-a-symptom-of-a-larger-problem/
https://arstechnica.com/security/2024/03/backdoor-found-in-widely-used-linux-utility-breaks-encrypted-ssh-connections/
Third Party Advisory
https://aws.amazon.com/security/security-bulletins/AWS-2024-002/
Third Party Advisory
https://blog.netbsd.org/tnf/entry/statement_on_backdoor_in_xz
https://boehs.org/node/everything-i-know-about-the-xz-backdoor
Third Party Advisory
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068024
Vendor Advisory
Mailing List
https://bugs.gentoo.org/928134
Third Party Advisory
Issue Tracking
https://bugzilla.suse.com/show_bug.cgi?id=1222124
Third Party Advisory
Issue Tracking
https://discourse.nixos.org/t/cve-2024-3094-malicious-code-in-xz-5-6-0-and-5-6-1-tarballs/42405
Third Party Advisory
https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27
Third Party Advisory
https://github.com/advisories/GHSA-rxwq-x6h5-x525
Third Party Advisory
https://github.com/amlweems/xzbot
https://github.com/karcherm/xz-malware
Third Party Advisory
https://gynvael.coldwind.pl/?lang=en&id=782
Third Party Advisory
Technical Description
https://lists.debian.org/debian-security-announce/2024/msg00057.html
Third Party Advisory
Mailing List
https://lists.freebsd.org/archives/freebsd-security/2024-March/000248.html
Third Party Advisory
https://lwn.net/Articles/967180/
Third Party Advisory
Issue Tracking
https://news.ycombinator.com/item?id=39865810
Third Party Advisory
Issue Tracking
https://news.ycombinator.com/item?id=39877267
Issue Tracking
https://news.ycombinator.com/item?id=39895344
https://openssf.org/blog/2024/03/30/xz-backdoor-cve-2024-3094/
Third Party Advisory
https://research.swtch.com/xz-script
https://research.swtch.com/xz-timeline
https://security-tracker.debian.org/tracker/CVE-2024-3094
Third Party Advisory
https://security.alpinelinux.org/vuln/CVE-2024-3094
Third Party Advisory
https://security.archlinux.org/CVE-2024-3094
Third Party Advisory
https://security.netapp.com/advisory/ntap-20240402-0001/
https://tukaani.org/xz-backdoor/
Vendor Advisory
Issue Tracking
https://twitter.com/LetsDefendIO/status/1774804387417751958
Third Party Advisory
https://twitter.com/debian/status/1774219194638409898
Press/Media Coverage
https://twitter.com/infosecb/status/1774595540233167206
Press/Media Coverage
https://twitter.com/infosecb/status/1774597228864139400
Press/Media Coverage
https://ubuntu.com/security/CVE-2024-3094
Third Party Advisory
https://www.cisa.gov/news-events/alerts/2024/03/29/reported-supply-chain-compromise-affecting-xz-utils-data-compression-library-cve-2024-3094
Third Party Advisory
US Government Resource
https://www.darkreading.com/vulnerabilities-threats/are-you-affected-by-the-backdoor-in-xz-utils
Third Party Advisory
https://www.kali.org/blog/about-the-xz-backdoor/
https://www.tenable.com/blog/frequently-asked-questions-cve-2024-3094-supply-chain-backdoor-in-xz-utils
Third Party Advisory
https://www.theregister.com/2024/03/29/malicious_backdoor_xz/
Press/Media Coverage
https://www.vicarius.io/vsociety/vulnerabilities/cve-2024-3094
https://xeiaso.net/notes/2024/xz-vuln/
Third Party Advisory
https://www.binarly.io/blog/persistent-risk-xz-utils-backdoor-still-lurking-in-docker-images