10 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
9.3 High
AI Score
Confidence
High
0.133 Low
EPSS
Percentile
95.6%
Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0.
Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library.
Recent assessments:
SeanWrightFeat at April 02, 2024 6:05pm UTC reported:
The backdoor is present in versions 5.6.0
and 5.6.1
.
This one has gained significant attention over the past few days. To date, there is has been observation that this backdoor was ever leveraged, and it will be unlikely to do so now, given the attention that it has received.
From a Technical perspective, this one was difficult to detect and prevent since the payload was loaded and executed in memory (as part of the SSHD process). The backdoor allowed remote code to be executed via the SSH process, making it even harder to detect.
This backdoor was only discovered by chance, by a Microsoft developer at Microsoft, Andres Freund. Andres was investigating a performance issue in SSH (which was caused by the backdoor), and then stumbled upon the backdoor. Details of which can be found on their post: <https://www.openwall.com/lists/oss-security/2024/03/29/4>. Also worth noting that the backdoor was not introduced into the code of xz, but rather the binaries. This means if you built the binaries from source, you did not include the backdoor.
noraj at April 03, 2024 8:52am UTC reported:
The backdoor is present in versions 5.6.0
and 5.6.1
.
This one has gained significant attention over the past few days. To date, there is has been observation that this backdoor was ever leveraged, and it will be unlikely to do so now, given the attention that it has received.
From a Technical perspective, this one was difficult to detect and prevent since the payload was loaded and executed in memory (as part of the SSHD process). The backdoor allowed remote code to be executed via the SSH process, making it even harder to detect.
This backdoor was only discovered by chance, by a Microsoft developer at Microsoft, Andres Freund. Andres was investigating a performance issue in SSH (which was caused by the backdoor), and then stumbled upon the backdoor. Details of which can be found on their post: <https://www.openwall.com/lists/oss-security/2024/03/29/4>. Also worth noting that the backdoor was not introduced into the code of xz, but rather the binaries. This means if you built the binaries from source, you did not include the backdoor.
ccondon-r7 at April 03, 2024 7:28pm UTC reported:
The backdoor is present in versions 5.6.0
and 5.6.1
.
This one has gained significant attention over the past few days. To date, there is has been observation that this backdoor was ever leveraged, and it will be unlikely to do so now, given the attention that it has received.
From a Technical perspective, this one was difficult to detect and prevent since the payload was loaded and executed in memory (as part of the SSHD process). The backdoor allowed remote code to be executed via the SSH process, making it even harder to detect.
This backdoor was only discovered by chance, by a Microsoft developer at Microsoft, Andres Freund. Andres was investigating a performance issue in SSH (which was caused by the backdoor), and then stumbled upon the backdoor. Details of which can be found on their post: <https://www.openwall.com/lists/oss-security/2024/03/29/4>. Also worth noting that the backdoor was not introduced into the code of xz, but rather the binaries. This means if you built the binaries from source, you did not include the backdoor.
Assessed Attacker Value: 5
Assessed Attacker Value: 5Assessed Attacker Value: 1
www.openwall.com/lists/oss-security/2024/03/29/10
www.openwall.com/lists/oss-security/2024/03/29/12
www.openwall.com/lists/oss-security/2024/03/29/4
www.openwall.com/lists/oss-security/2024/03/29/5
www.openwall.com/lists/oss-security/2024/03/29/8
www.openwall.com/lists/oss-security/2024/03/30/12
www.openwall.com/lists/oss-security/2024/03/30/27
www.openwall.com/lists/oss-security/2024/03/30/36
www.openwall.com/lists/oss-security/2024/03/30/5
www.openwall.com/lists/oss-security/2024/04/16/5
access.redhat.com/security/cve/CVE-2024-3094
ariadne.space/2024/04/02/the-xz-utils-backdoor-is-a-symptom-of-a-larger-problem/
arstechnica.com/security/2024/03/backdoor-found-in-widely-used-linux-utility-breaks-encrypted-ssh-connections/
aws.amazon.com/security/security-bulletins/AWS-2024-002/
blog.netbsd.org/tnf/entry/statement_on_backdoor_in_xz
boehs.org/node/everything-i-know-about-the-xz-backdoor
bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068024
bugs.gentoo.org/928134
bugzilla.redhat.com/show_bug.cgi?id=2272210
bugzilla.suse.com/show_bug.cgi?id=1222124
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-3094
discourse.nixos.org/t/cve-2024-3094-malicious-code-in-xz-5-6-0-and-5-6-1-tarballs/42405
gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27
github.com/advisories/GHSA-rxwq-x6h5-x525
github.com/alokemajumder/CVE-2024-3094-Vulnerability-Checker-Fixer
github.com/amlweems/xzbot
github.com/karcherm/xz-malware
github.com/lypd0/CVE-2024-3094-Vulnerabity-Checker
github.com/neuralinhibitor/xzwhy
gynvael.coldwind.pl/?lang=en&id=782
lists.debian.org/debian-security-announce/2024/msg00057.html
lists.freebsd.org/archives/freebsd-security/2024-March/000248.html
lwn.net/Articles/967180/
news.ycombinator.com/item?id=39865810
news.ycombinator.com/item?id=39877267
news.ycombinator.com/item?id=39895344
openssf.org/blog/2024/03/30/xz-backdoor-cve-2024-3094/
research.swtch.com/xz-script
research.swtch.com/xz-timeline
security-tracker.debian.org/tracker/CVE-2024-3094
security.alpinelinux.org/vuln/CVE-2024-3094
security.archlinux.org/CVE-2024-3094
security.netapp.com/advisory/ntap-20240402-0001/
tukaani.org/xz-backdoor/
twitter.com/debian/status/1774219194638409898
twitter.com/infosecb/status/1774595540233167206
twitter.com/infosecb/status/1774597228864139400
twitter.com/LetsDefendIO/status/1774804387417751958
ubuntu.com/security/CVE-2024-3094
www.cisa.gov/news-events/alerts/2024/03/29/reported-supply-chain-compromise-affecting-xz-utils-data-compression-library-cve-2024-3094
www.darkreading.com/vulnerabilities-threats/are-you-affected-by-the-backdoor-in-xz-utils
www.kali.org/blog/about-the-xz-backdoor/
www.openwall.com/lists/oss-security/2024/03/29/4
www.redhat.com/en/blog/urgent-security-alert-fedora-41-and-rawhide-users
www.tenable.com/blog/frequently-asked-questions-cve-2024-3094-supply-chain-backdoor-in-xz-utils
www.theregister.com/2024/03/29/malicious_backdoor_xz/
www.vicarius.io/vsociety/vulnerabilities/cve-2024-3094
xeiaso.net/notes/2024/xz-vuln/
10 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
9.3 High
AI Score
Confidence
High
0.133 Low
EPSS
Percentile
95.6%