CVE-2024-3094

Xz: malicious code in distributed source

Severity Score

10.0

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Attend

*SSVC

Descriptions

Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0.
Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library.

Se descubrió código malicioso en los archivos tar ascendentes de xz, a partir de la versión 5.6.0. A través de una serie de ofuscaciones complejas, el proceso de compilación de liblzma extrae un archivo objeto premanipulado de un archivo de prueba disfrazado existente en el código fuente, que luego se utiliza para modificar funciones específicas en el código de liblzma. Esto da como resultado una librería liblzma modificada que puede ser utilizada por cualquier software vinculado a esta librería, interceptando y modificando la interacción de datos con esta librería.

*Credits: Red Hat would like to thank Andres Freund for reporting this issue.

CVSS Scores

NISTv3.1 10.0

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:Attend

Exploitation

None

Automatable

Yes

Tech. Impact

Total

* Organization's Worst-case Scenario

Timeline

2024-03-29 CVE Reserved
2024-03-29 CVE Published
2024-03-29 First Exploit
2024-08-20 CVE Updated
2024-10-04 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-506: Embedded Malicious Code

CAPEC

References (88)

URL	Tag	Source
http://www.openwall.com/lists/oss-security/2024/03/29/10
http://www.openwall.com/lists/oss-security/2024/03/29/12
http://www.openwall.com/lists/oss-security/2024/03/29/4
http://www.openwall.com/lists/oss-security/2024/03/29/5
http://www.openwall.com/lists/oss-security/2024/03/29/8
http://www.openwall.com/lists/oss-security/2024/03/30/12
http://www.openwall.com/lists/oss-security/2024/03/30/27
http://www.openwall.com/lists/oss-security/2024/03/30/36
http://www.openwall.com/lists/oss-security/2024/03/30/5
http://www.openwall.com/lists/oss-security/2024/04/16/5
https://ariadne.space/2024/04/02/the-xz-utils-backdoor-is-a-symptom-of-a-larger-problem
https://arstechnica.com/security/2024/03/backdoor-found-in-widely-used-linux-utility-breaks-encrypted-ssh-connections	Third Party Advisory
https://aws.amazon.com/security/security-bulletins/AWS-2024-002	Third Party Advisory
https://blog.netbsd.org/tnf/entry/statement_on_backdoor_in_xz
https://boehs.org/node/everything-i-know-about-the-xz-backdoor	Third Party Advisory
https://bugs.gentoo.org/928134	Issue Tracking
https://bugzilla.suse.com/show_bug.cgi?id=1222124	Issue Tracking
https://discourse.nixos.org/t/cve-2024-3094-malicious-code-in-xz-5-6-0-and-5-6-1-tarballs/42405	Third Party Advisory
https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27	Third Party Advisory
https://github.com/advisories/GHSA-rxwq-x6h5-x525	Third Party Advisory
https://github.com/amlweems/xzbot
https://github.com/karcherm/xz-malware	Third Party Advisory
https://gynvael.coldwind.pl/?lang=en&id=782	Technical Description
https://lists.debian.org/debian-security-announce/2024/msg00057.html	Mailing List
https://lists.freebsd.org/archives/freebsd-security/2024-March/000248.html	Third Party Advisory
https://lwn.net/Articles/967180	Issue Tracking
https://news.ycombinator.com/item?id=39865810	Issue Tracking
https://news.ycombinator.com/item?id=39877267	Issue Tracking
https://news.ycombinator.com/item?id=39895344
https://openssf.org/blog/2024/03/30/xz-backdoor-cve-2024-3094	Third Party Advisory
https://research.swtch.com/xz-script
https://research.swtch.com/xz-timeline
https://security-tracker.debian.org/tracker/CVE-2024-3094	Third Party Advisory
https://security.alpinelinux.org/vuln/CVE-2024-3094	Third Party Advisory
https://security.archlinux.org/CVE-2024-3094	Third Party Advisory
https://security.netapp.com/advisory/ntap-20240402-0001
https://twitter.com/LetsDefendIO/status/1774804387417751958	Third Party Advisory
https://twitter.com/debian/status/1774219194638409898	Media Coverage
https://twitter.com/infosecb/status/1774595540233167206	Media Coverage
https://twitter.com/infosecb/status/1774597228864139400	Media Coverage
https://ubuntu.com/security/CVE-2024-3094	Third Party Advisory
https://www.cisa.gov/news-events/alerts/2024/03/29/reported-supply-chain-compromise-affecting-xz-utils-data-compression-library-cve-2024-3094	Third Party Advisory
https://www.darkreading.com/vulnerabilities-threats/are-you-affected-by-the-backdoor-in-xz-utils	Third Party Advisory
https://www.kali.org/blog/about-the-xz-backdoor
https://www.openwall.com/lists/oss-security/2024/03/29/4	Mailing List
https://www.tenable.com/blog/frequently-asked-questions-cve-2024-3094-supply-chain-backdoor-in-xz-utils	Third Party Advisory
https://www.theregister.com/2024/03/29/malicious_backdoor_xz	Media Coverage
https://www.vicarius.io/vsociety/vulnerabilities/cve-2024-3094
https://xeiaso.net/notes/2024/xz-vuln	Third Party Advisory

URL	Date	SRC
https://github.com/r0binak/xzk8s	2024-04-06
https://github.com/lypd0/CVE-2024-3094-Vulnerabity-Checker	2024-03-29
https://github.com/DANO-AMP/CVE-2024-3094	2024-07-05
https://github.com/Security-Phoenix-demo/CVE-2024-3094-fix-exploits	2024-04-03
https://github.com/byinarie/CVE-2024-3094-info	2024-04-01
https://github.com/FabioBaroni/CVE-2024-3094-checker	2024-03-31
https://github.com/alokemajumder/CVE-2024-3094-Vulnerability-Checker-Fixer	2024-04-07
https://github.com/teyhouse/CVE-2024-3094	2024-03-31
https://github.com/gustavorobertux/CVE-2024-3094	2024-04-02
https://github.com/wgetnz/CVE-2024-3094-check	2024-03-30
https://github.com/Yuma-Tsushima07/CVE-2024-3094	2024-03-31
https://github.com/crfearnworks/ansible-CVE-2024-3094	2024-04-04
https://github.com/ScrimForever/CVE-2024-3094	2024-04-02
https://github.com/pentestfunctions/CVE-2024-3094	2024-04-02
https://github.com/isuruwa/CVE-2024-3094	2024-03-31
https://github.com/Bella-Bc/xz-backdoor-CVE-2024-3094-Check	2024-04-03
https://github.com/devjanger/CVE-2024-3094-XZ-Backdoor-Detector	2024-04-02
https://github.com/reuteras/CVE-2024-3094	2024-05-05
https://github.com/Simplifi-ED/CVE-2024-3094-patcher	2024-03-31
https://github.com/ashwani95/CVE-2024-3094	2024-03-30
https://github.com/Fractal-Tess/CVE-2024-3094	2024-03-30
https://github.com/Horizon-Software-Development/CVE-2024-3094	2024-03-30
https://github.com/Mustafa1986/CVE-2024-3094	2024-04-01
https://github.com/mightysai1997/CVE-2024-3094	2024-03-31
https://github.com/mightysai1997/CVE-2024-3094-info	2024-03-31
https://github.com/shefirot/CVE-2024-3094	2024-06-11
https://github.com/CyberGuard-Foundation/CVE-2024-3094	2024-04-03
https://github.com/dah4k/CVE-2024-3094	2024-04-01
https://github.com/TheTorjanCaptain/CVE-2024-3094-Checker	2024-04-03
https://github.com/k4t3pr0/Check-CVE-2024-3094	2024-03-31
https://github.com/hazemkya/CVE-2024-3094-checker	2024-03-31
https://github.com/iheb2b/CVE-2024-3094-Checker	2024-04-06
https://github.com/OpensourceICTSolutions/xz_utils-CVE-2024-3094	2024-03-29
https://github.com/brinhosa/CVE-2024-3094-One-Liner	2024-04-01

URL	Date	SRC

URL	Date	SRC
https://access.redhat.com/security/cve/CVE-2024-3094	2024-05-01
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068024	2024-05-01
https://bugzilla.redhat.com/show_bug.cgi?id=2272210	2024-05-01
https://tukaani.org/xz-backdoor	2024-05-01
https://www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users	2024-05-01

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Tukaani Search vendor "Tukaani"		XZ Search vendor "Tukaani" for product "XZ"				5.6.0 Search vendor "Tukaani" for product "XZ" and version "5.6.0"		-		Affected
Tukaani Search vendor "Tukaani"		XZ Search vendor "Tukaani" for product "XZ"				5.6.1 Search vendor "Tukaani" for product "XZ" and version "5.6.1"		-		Affected