Detections
Analytics
CVE-2024-3094
critical
Description
Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library.
From the Tenable Blog
Frequently Asked Questions About CVE-2024-3094, A Backdoor in XZ Utils
Published: 2024-03-29
Frequently asked questions about CVE-2024-3094, a supply-chain attack responsible for a backdoor in XZ Utils, a widely used library found in multiple Linux distributions.
References
https://securelist.com/vulnerability-report-q1-2024/112554/
https://securelist.com/xz-backdoor-story-part-1/112354/
https://www.nytimes.com/2024/04/03/technology/prevent-cyberattack-linux.html
https://cloud.google.com/support/bulletins#gcp-2024-021
https://research.swtch.com/xz-timeline
https://isc.sans.edu/diary/rss/30802
https://jfrog.com/blog/xz-backdoor-attack-cve-2024-3094-all-you-need-to-know/
https://github.com/FabioBaroni/CVE-2024-3094-checker
https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27
https://lcamtuf.substack.com/p/technologist-vs-spy-the-xz-backdoor
https://www.theregister.com/2024/03/29/malicious_backdoor_xz/
https://www.openwall.com/lists/oss-security/2024/03/29/4
https://www.kali.org/blog/about-the-xz-backdoor/
https://github.com/byinarie/CVE-2024-3094-info
https://boehs.org/node/everything-i-know-about-the-xz-backdoor
https://xeiaso.net/notes/2024/xz-vuln/
https://www.vicarius.io/vsociety/vulnerabilities/cve-2024-3094
https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users
https://www.darkreading.com/vulnerabilities-threats/are-you-affected-by-the-backdoor-in-xz-utils
https://ubuntu.com/security/CVE-2024-3094
https://twitter.com/infosecb/status/1774597228864139400
https://twitter.com/infosecb/status/1774595540233167206
https://twitter.com/debian/status/1774219194638409898
https://twitter.com/LetsDefendIO/status/1774804387417751958
https://tukaani.org/xz-backdoor/
https://security.netapp.com/advisory/ntap-20240402-0001/
https://security.archlinux.org/CVE-2024-3094
https://security.alpinelinux.org/vuln/CVE-2024-3094
https://security-tracker.debian.org/tracker/CVE-2024-3094
https://research.swtch.com/xz-script
https://openssf.org/blog/2024/03/30/xz-backdoor-cve-2024-3094/
https://news.ycombinator.com/item?id=39895344
https://news.ycombinator.com/item?id=39877267
https://news.ycombinator.com/item?id=39865810
https://lwn.net/Articles/967180/
https://lists.freebsd.org/archives/freebsd-security/2024-March/000248.html
https://lists.debian.org/debian-security-announce/2024/msg00057.html
https://gynvael.coldwind.pl/?lang=en&id=782
https://github.com/karcherm/xz-malware
https://github.com/amlweems/xzbot
https://github.com/advisories/GHSA-rxwq-x6h5-x525
https://discourse.nixos.org/t/cve-2024-3094-malicious-code-in-xz-5-6-0-and-5-6-1-tarballs/42405
https://bugzilla.suse.com/show_bug.cgi?id=1222124
https://bugzilla.redhat.com/show_bug.cgi?id=2272210
https://bugs.gentoo.org/928134
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068024
https://blog.netbsd.org/tnf/entry/statement_on_backdoor_in_xz
https://aws.amazon.com/security/security-bulletins/AWS-2024-002/
https://ariadne.space/2024/04/02/the-xz-utils-backdoor-is-a-symptom-of-a-larger-problem/
https://access.redhat.com/security/cve/CVE-2024-3094
http://www.openwall.com/lists/oss-security/2024/04/16/5
http://www.openwall.com/lists/oss-security/2024/03/30/5
http://www.openwall.com/lists/oss-security/2024/03/30/36
http://www.openwall.com/lists/oss-security/2024/03/30/27
http://www.openwall.com/lists/oss-security/2024/03/30/12
http://www.openwall.com/lists/oss-security/2024/03/29/8
http://www.openwall.com/lists/oss-security/2024/03/29/5
http://www.openwall.com/lists/oss-security/2024/03/29/4