Malicious Code Discovered in xz Upstream Tarballs, Affecting liblzma and Other Dependent Packages
CVE-2024-3094
Key Information:
- Vendor
Tukaani
- Vendor
- CVE Published:
- 29 March 2024
Badges
What is CVE-2024-3094?
CVE-2024-3094 is a critical vulnerability affecting the xz utility, specifically through its upstream tarballs starting from version 5.6.0. xz is widely used for data compression in various systems and applications, including software packages and libraries. This vulnerability introduces malicious code that can manipulate the liblzma library, crucial for handling data compression tasks. Organizations utilizing software that links against liblzma may find their data integrity compromised, as the vulnerability allows for data interception and unauthorized modifications, severely threatening the confidentiality and accuracy of critical data operations.
Technical Details
The vulnerability originates from a sophisticated supply chain attack where obfuscated malicious code was embedded within the upstream tarballs of xz. Upon building the liblzma library, the build process extracts a disguised and prebuilt object file from a specially crafted test file present in the source code. This compromised object file alters essential functions within the liblzma library, enabling attackers to intercept and manipulate the data being processed by any software that depends on this library. The stealthy nature of the obfuscation makes detection challenging, allowing the backdoor to remain concealed.
Impact of the Vulnerability
-
Data Integrity Breach: The manipulation of the liblzma library can lead to unauthorized alteration of compressed data, posing a significant risk to the integrity of crucial information handled by affected systems.
-
Widespread Consequences for Dependent Software: Since liblzma is a common dependency in numerous applications and libraries, the impact of this vulnerability can cascade, potentially affecting a wide range of software ecosystems.
-
Increased Attack Surface: By enabling data interception capabilities, this vulnerability may allow attackers to exploit further weaknesses, potentially leading to additional security breaches or the injection of additional malicious payloads into other processes or systems.
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
News Articles
KasperskyCVE-2024-3094CVE-2024-3094: malicious code in Linux distributions
Vulnerability CVE-2024-3094. The attackers implanted a backdoor into the compression utilities set XZ Utils versions 5.6.0 and 5.6.1.
The Hacker NewsCVE-2024-3094Leveraging Wazuh for Zero Trust security
Learn how Zero Trust security protects organizations by eliminating implicit trust, enabling continuous monitoring, and enhancing incident response
CVE-2024-3094 and XZ Upstream Supply Chain Attack | CrowdStrike
Learn about the CVE-2024-3094 and XZ Upstream Supply Chain Attack and how CrowdStrike is protecting its customers from exploitation.
References
EPSS Score
84% chance of being exploited in the next 30 days.
CVSS V3.1
Timeline
- 🟡
Public PoC available
- 👾
Exploit known to exist
- 🥇
Vulnerability reached the number 1 worldwide trending spot
- 📈
Vulnerability started trending
- 📰
First article discovered by Beeping Computers
Vulnerability published
Vulnerability Reserved