XZ_Vulnerability

Vulnerability in XZ Utils Data Compression Library Impacting Multiple Linux Distributions (CVE-2024-3094)

Description of the vulnerability per NIST:

“Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting, and modifying the data interaction with this library.”

This vulnerability was intentionally induced by a supply chain attack. Starting in 2021, a suspected Threat Actor started to submit patches to open-source project on GITHUB, eventually focusing on the XZ Utils repository and becoming a co-developer. A fuller timeline of events can be found here. The backdoor/vulnerability was fully introduced in versions 5.6.0 and 5.6.1 of xz utils in February. Most production Linux distributions have not adopted these patches, but please check the following section to confirm that no affected versions are present in your environment.

Affected & Fixed Versions

Recommendations and Mitigations

SecurIT360 Managed SOC Clients:

  • For all active managed SOC EDR clients, we have checked our inventory across products and have already reached out if you have an affected Linux distribution.
  • For all active managed SOC MDR clients, we have also run an external Nessus vulnerability scan looking for affected versions and have again already reached out to any and all affected clients.

Otherwise, if you have any Linux endpoint that we do not monitor that you are concerned may be affected by this vulnerability, you can run a simple command of “xz –version” or “xz ultis –version” on these endpoints to confirm your versioning on the endpoint in question:

If any of your endpoints do presently use 5.6.0 and 5.6.1 of XZ Utils, we would recommend either updating or downgrading packages per the table above. For the case of Fedora 40-41 and Rawhide specifically the recommendation from Red Hat would be to power-down or stop using Rawhide for the time being, and to move to packages 5.4.X for Fedora 40-41. See Red Hat’s blog post on the subject for more information.

Resources & Related Articles

Proactively Guard Your Business From Cybersecurity and IT Threats. Request a Free Consultation Today.