Malicious Code Discovered in xz Upstream Tarballs, Affecting liblzma and Other Dependent Packages
CVE-2024-3094

10CRITICAL

Key Information:

Vendor
Red Hat
Vendor
CVE Published:
29 March 2024

Badges

🥇 Trended No. 1📈 Trended📈 Score: 262,000👾 Exploit Exists🟡 Public PoC🟣 EPSS 63%📰 News Worthy

What is CVE-2024-3094?

CVE-2024-3094 is a critical vulnerability affecting the xz utility, specifically through its upstream tarballs starting from version 5.6.0. xz is widely used for data compression in various systems and applications, including software packages and libraries. This vulnerability introduces malicious code that can manipulate the liblzma library, crucial for handling data compression tasks. Organizations utilizing software that links against liblzma may find their data integrity compromised, as the vulnerability allows for data interception and unauthorized modifications, severely threatening the confidentiality and accuracy of critical data operations.

Technical Details

The vulnerability originates from a sophisticated supply chain attack where obfuscated malicious code was embedded within the upstream tarballs of xz. Upon building the liblzma library, the build process extracts a disguised and prebuilt object file from a specially crafted test file present in the source code. This compromised object file alters essential functions within the liblzma library, enabling attackers to intercept and manipulate the data being processed by any software that depends on this library. The stealthy nature of the obfuscation makes detection challenging, allowing the backdoor to remain concealed.

Impact of the Vulnerability

  1. Data Integrity Breach: The manipulation of the liblzma library can lead to unauthorized alteration of compressed data, posing a significant risk to the integrity of crucial information handled by affected systems.

  2. Widespread Consequences for Dependent Software: Since liblzma is a common dependency in numerous applications and libraries, the impact of this vulnerability can cascade, potentially affecting a wide range of software ecosystems.

  3. Increased Attack Surface: By enabling data interception capabilities, this vulnerability may allow attackers to exploit further weaknesses, potentially leading to additional security breaches or the injection of additional malicious payloads into other processes or systems.

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

News Articles

CVE-2024-3094: malicious code in Linux distributions

Vulnerability CVE-2024-3094. The attackers implanted a backdoor into the compression utilities set XZ Utils versions 5.6.0 and 5.6.1.

3 weeks ago

Leveraging Wazuh for Zero Trust security

Learn how Zero Trust security protects organizations by eliminating implicit trust, enabling continuous monitoring, and enhancing incident response

3 months ago

CVE-2024-3094 and XZ Upstream Supply Chain Attack | CrowdStrike

Learn about the CVE-2024-3094 and XZ Upstream Supply Chain Attack and how CrowdStrike is protecting its customers from exploitation.

4 months ago

References

EPSS Score

63% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
10
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • 🥇

    Vulnerability reached the number 1 worldwide trending spot

  • 📈

    Vulnerability started trending

  • 📰

    First article discovered by Beeping Computers

  • Vulnerability published

  • Vulnerability Reserved

Credit

Red Hat would like to thank Andres Freund for reporting this issue.
.