Detections
Analytics

CVE-2024-3094

critical

Description

Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library.

From the Tenable Blog

Frequently Asked Questions About CVE-2024-3094, A Backdoor in XZ Utils
Frequently Asked Questions About CVE-2024-3094, A Backdoor in XZ Utils

Published: 2024-03-29

Frequently asked questions about CVE-2024-3094, a supply-chain attack responsible for a backdoor in XZ Utils, a widely used library found in multiple Linux distributions.

References

https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27

https://boehs.org/node/everything-i-know-about-the-xz-backdoor

https://xeiaso.net/notes/2024/xz-vuln/

https://www.darkreading.com/vulnerabilities-threats/are-you-affected-by-the-backdoor-in-xz-utils

https://www.cisa.gov/news-events/alerts/2024/03/29/reported-supply-chain-compromise-affecting-xz-utils-data-compression-library-cve-2024-3094

https://ubuntu.com/security/CVE-2024-3094

https://twitter.com/LetsDefendIO/status/1774804387417751958

https://security.archlinux.org/CVE-2024-3094

https://security.alpinelinux.org/vuln/CVE-2024-3094

https://security-tracker.debian.org/tracker/CVE-2024-3094

https://openssf.org/blog/2024/03/30/xz-backdoor-cve-2024-3094/

https://news.ycombinator.com/item?id=39865810

https://lwn.net/Articles/967180/

https://lists.freebsd.org/archives/freebsd-security/2024-March/000248.html

https://lists.debian.org/debian-security-announce/2024/msg00057.html

https://gynvael.coldwind.pl/?lang=en&id=782

https://github.com/karcherm/xz-malware

https://github.com/advisories/GHSA-rxwq-x6h5-x525

https://discourse.nixos.org/t/cve-2024-3094-malicious-code-in-xz-5-6-0-and-5-6-1-tarballs/42405

https://bugzilla.suse.com/show_bug.cgi?id=1222124

https://bugs.gentoo.org/928134

https://aws.amazon.com/security/security-bulletins/AWS-2024-002/

https://arstechnica.com/security/2024/03/backdoor-found-in-widely-used-linux-utility-breaks-encrypted-ssh-connections/

https://research.swtch.com/xz-timeline

https://securelist.com/vulnerability-report-q1-2024/112554/

https://securelist.com/xz-backdoor-story-part-1/112354/

https://www.nytimes.com/2024/04/03/technology/prevent-cyberattack-linux.html

https://cloud.google.com/support/bulletins#gcp-2024-021

https://isc.sans.edu/diary/rss/30802

https://jfrog.com/blog/xz-backdoor-attack-cve-2024-3094-all-you-need-to-know/

https://github.com/FabioBaroni/CVE-2024-3094-checker

https://lcamtuf.substack.com/p/technologist-vs-spy-the-xz-backdoor

https://www.openwall.com/lists/oss-security/2024/03/29/4

https://github.com/byinarie/CVE-2024-3094-info

https://www.tenable.com/blog/from-bugs-to-breaches-25-significant-cves-as-mitre-cve-turns-25

https://www.tenable.com/blog/frequently-asked-questions-cve-2024-3094-supply-chain-backdoor-in-xz-utils

https://www.theregister.com/2024/03/29/malicious_backdoor_xz/

https://www.kali.org/blog/about-the-xz-backdoor/

https://www.vicarius.io/vsociety/vulnerabilities/cve-2024-3094

https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users

https://twitter.com/infosecb/status/1774597228864139400

https://twitter.com/infosecb/status/1774595540233167206

https://twitter.com/debian/status/1774219194638409898

https://tukaani.org/xz-backdoor/

https://security.netapp.com/advisory/ntap-20240402-0001/

https://research.swtch.com/xz-script

https://news.ycombinator.com/item?id=39895344

https://news.ycombinator.com/item?id=39877267

https://github.com/amlweems/xzbot

https://bugzilla.redhat.com/show_bug.cgi?id=2272210

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068024

https://blog.netbsd.org/tnf/entry/statement_on_backdoor_in_xz

https://ariadne.space/2024/04/02/the-xz-utils-backdoor-is-a-symptom-of-a-larger-problem/

https://access.redhat.com/security/cve/CVE-2024-3094

http://www.openwall.com/lists/oss-security/2024/04/16/5

http://www.openwall.com/lists/oss-security/2024/03/30/5

http://www.openwall.com/lists/oss-security/2024/03/30/36

http://www.openwall.com/lists/oss-security/2024/03/30/27

http://www.openwall.com/lists/oss-security/2024/03/30/12

http://www.openwall.com/lists/oss-security/2024/03/29/8

http://www.openwall.com/lists/oss-security/2024/03/29/5

http://www.openwall.com/lists/oss-security/2024/03/29/4

http://www.openwall.com/lists/oss-security/2024/03/29/12

http://www.openwall.com/lists/oss-security/2024/03/29/10

Details

Source: Mitre, NVD

Published: 2024-03-29

Updated: 2025-02-06

Named Vulnerability: xz/liblzma backdoorNamed Vulnerability: xz-utils backdoorNamed Vulnerability: xz utils backdoorNamed Vulnerability: XZ Utils vulnerabilityNamed Vulnerability: XZ Utils supply chain attackNamed Vulnerability: XZ Utils library vulnerabilityNamed Vulnerability: XZ Utils backdoorNamed Vulnerability: XZ Utils VulnerabilityNamed Vulnerability: XZ Utils SSHd BackdoorNamed Vulnerability: XZ Utils BackdoorNamed Vulnerability: XZ UtilsNamed Vulnerability: XZ BackdoorNamed Vulnerability: The XZ BackdoorNamed Vulnerability: Backdoored XZ UtilsNamed Vulnerability: Aardvark Infinity

Risk Information

CVSS v2

Base Score: 10

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Severity: Critical

CVSS v3

Base Score: 10

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Severity: Critical

EPSS

EPSS: 0.84431

Vulnerability Watch

Tenable Research has classified this CVE under the following Vulnerability Watch classification, which includes active and historical (inactive) classifications. You can learn more about these classifications on our blog.

Vulnerability of Interest